CVE-2025-27513
OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package
Description
### Impact _What kind of vulnerability is it? Who is impacted?_ A vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a Denial of Service (DoS) when a `tracestate` and `traceparent` header is received. * Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage. * This issue impacts any application accessible over the web or backend services that process HTTP requests containing a `tracestate` header. * Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime. ### Patches _Has the problem been patched? What versions should users upgrade to?_ This issue has been <strong data-start="1143" data-end="1184">resolved in OpenTelemetry.Api 1.11.2</strong> by <strong data-start="1188" data-end="1212">reverting the change</strong> that introduced the problematic behavior in versions <strong data-start="1266" data-end="1286">1.10.0 to 1.11.1</strong>.</li><li data-start="1290" data-end="1409">The fix ensures that <strong data-start="1313" data-end="1380">valid tracing headers no longer cause excessive CPU consumption</strong> when received in requests.</li></ul><h4 data-start="1411" data-end="1434"><strong data-start="1416" data-end="1434">Fixed Version:</strong></h4> OpenTelemetry .NET Version | Status -- | -- <= 1.9.x | ✅ Not affected 1.10.0 - 1.11.1 | ❌ Vulnerable 1.11.2 (Fixed) | ✅ Safe to use **Upgrade Command:** ``` dotnet add package OpenTelemetry --version 1.11.2 ``` **Delisting of Affected Packages** To prevent accidental usage, we have delisted the affected versions (1.10.0 to 1.11.1) from NuGet. Users should avoid these versions and upgrade to 1.11.2 immediately. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References _Are there any links users can visit to find out more?_
How to fix CVE-2025-27513
To remediate CVE-2025-27513, upgrade the affected package to a fixed version below.
- —upgrade to 1.11.2 or later
Is CVE-2025-27513 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.