CVE-2025-27513
📋 TL;DR
A vulnerability in OpenTelemetry.Api for .NET versions 1.10.0 to 1.11.1 causes Denial of Service when processing HTTP requests containing tracestate and traceparent headers. This triggers high CPU usage even when applications don't explicitly use trace context propagation, affecting any web-accessible application or backend service processing HTTP requests. The vulnerability can lead to degraded performance, increased latency, or complete downtime.
💻 Affected Systems
- OpenTelemetry.Api for .NET
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion, affecting all users and potentially cascading to dependent services.
Likely Case
Degraded performance and increased latency during attack periods, with potential temporary service disruptions.
If Mitigated
Minimal impact with proper rate limiting and monitoring, though some performance degradation may still occur during attacks.
🎯 Exploit Status
Exploitation requires sending HTTP requests with specific headers, which is trivial for attackers. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.2
Vendor Advisory: https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6
Restart Required: Yes
Instructions:
1. Update OpenTelemetry.Api package to version 1.11.2 or later. 2. Update package reference in your project file. 3. Rebuild and redeploy your application. 4. Restart the application service.
🔧 Temporary Workarounds
Header Filtering
allFilter or block HTTP requests containing tracestate and traceparent headers at the web server or load balancer level.
Rate Limiting
allImplement rate limiting on HTTP endpoints to mitigate DoS impact.
🧯 If You Can't Patch
- Implement WAF rules to block or rate limit requests with tracestate headers
- Deploy additional monitoring for CPU spikes and implement auto-scaling to handle increased load
🔍 How to Verify
Check if Vulnerable:
Check your project's package references for OpenTelemetry.Api version between 1.10.0 and 1.11.1.Check Version:
dotnet list package --include-transitive | findstr OpenTelemetry.ApiVerify Fix Applied:
Verify OpenTelemetry.Api package version is 1.11.2 or later in your project dependencies.📡 Detection & Monitoring
Log Indicators:
- Unusual CPU spikes
- Increased request processing times
- HTTP requests with tracestate headers in access logs
Network Indicators:
- High volume of HTTP requests with tracestate headers
- Unusual traffic patterns to vulnerable endpoints
SIEM Query:
source="web_server" AND (header="tracestate" OR header="traceparent") | stats count by src_ip