CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-27513: OpenTelemetry .NET has a Denial of Service (DoS) Vulnerability in API Package

7.5 CVSS

Description

OpenTelemetry dotnet is a dotnet telemetry framework. A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage. This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header. Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime. This vulnerability is fixed in 1.11.2.

Classification

CVE ID: CVE-2025-27513

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling

Affected Products

Vendor: open-telemetry

Product: opentelemetry-dotnet

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 14.13% (scored less or equal to compared to others)

EPSS Date: 2025-04-02 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27513
https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6
https://github.com/open-telemetry/opentelemetry-dotnet/commit/1b555c1201413f2f55f2cd3c4ba03ef4b615b6b5

Timeline

2025-03-05 19:40:11 UTC
CVE

OpenTelemetry .NET has a Denial of Service (DoS) Vulnerability in API Package
2025-03-06 23:15:25 UTC
Github Advisory Database (Nuget)

[OpenTelemetry.AutoInstrumentation] DoS Vulnerability in TraceContextPropagator.Extract - OpenTelemetry.Api