CVE-2025-27513
Published: 05 March 2025
Description
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Security Summary
CVE-2025-27513 is a denial-of-service vulnerability affecting the OpenTelemetry.Api package versions 1.10.0 through 1.11.1, part of the OpenTelemetry .NET telemetry framework. The flaw triggers high CPU usage when an application receives tracestate and traceparent headers in HTTP requests, even if the application does not explicitly use trace context propagation. This leads to excessive resource consumption in any .NET application accessible over the web or backend services processing such HTTP requests, potentially causing increased latency, degraded performance, or downtime. The issue is rated CWE-770 (allocation of resources without limits or throttling) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote attackers require no privileges or user interaction to exploit this vulnerability by sending HTTP requests containing a tracestate header to affected applications. Exploitation results in denial of service through sustained high CPU utilization, impacting availability without compromising confidentiality or integrity.
The vulnerability is addressed in OpenTelemetry.Api version 1.11.2. Security advisories recommend upgrading to this fixed release. Further details are provided in the GitHub security advisory (GHSA-8785-wc3w-h8q6) and the patching commit (1b555c1201413f2f55f2cd3c4ba03ef4b615b6b5).
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
This resource exhaustion DoS vulnerability (CWE-770) is directly triggered by crafted HTTP requests containing tracestate/traceparent headers, enabling adversaries to exhaust application CPU resources and cause downtime without requiring authentication.