CVE-2025-27513

描述

### Impact _What kind of vulnerability is it? Who is impacted?_ A vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a Denial of Service (DoS) when a `tracestate` and `traceparent` header is received. * Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage. * This issue impacts any application accessible over the web or backend services that process HTTP requests containing a `tracestate` header. * Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime. ### Patches _Has the problem been patched? What versions should users upgrade to?_ This issue has been resolved in OpenTelemetry.Api 1.11.2 by reverting the change that introduced the problematic behavior in versions 1.10.0 to 1.11.1.</li><li data-start="1290" data-end="1409">The fix ensures that valid tracing headers no longer cause excessive CPU consumption when received in requests.</li></ul><h4 data-start="1411" data-end="1434">Fixed Version:</h4> OpenTelemetry .NET Version | Status -- | -- <= 1.9.x | ✅ Not affected 1.10.0 - 1.11.1 | ❌ Vulnerable 1.11.2 (Fixed) | ✅ Safe to use **Upgrade Command:** ``` dotnet add package OpenTelemetry --version 1.11.2 ``` **Delisting of Affected Packages** To prevent accidental usage, we have delisted the affected versions (1.10.0 to 1.11.1) from NuGet. Users should avoid these versions and upgrade to 1.11.2 immediately. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References _Are there any links users can visit to find out more?_

如何修補 CVE-2025-27513

要修補 CVE-2025-27513,請將受影響套件升級到下列已修補版本。

—升級至 1.11.2 或更新版本

CVE-2025-27513 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

描述

如何修補 CVE-2025-27513

CVE-2025-27513 正在被利用嗎?

受影響套件(1)

CVSS 分數

參考連結(5)