CVE-2025-27513 - Denial of Service Vulnerability in OpenTelemetry.API Package for dotnet Applications

OpenTelemetry dotnet is a popular telemetry framework for .NET applications that provides APIs, libraries, and agents to capture, process, and export telemetry data (traces, logs, and metrics) about application performance and behavior. A recently discovered vulnerability (CVE-2025-27513) affects the OpenTelemetry.Api package versions 1.10. to 1.11.1, and can potentially lead to Denial of Service (DoS) attacks when the application receives a tracestate and traceparent header in HTTP requests.

Vulnerability Details

This vulnerability can cause excessive resource consumption in an application, even if it does not explicitly use trace context propagation. High CPU usage may result from receiving and processing HTTP requests containing a tracestate header. This can lead to increased latency, degraded performance, or even downtime for the application.

Any application accessible over the web or backend services that process HTTP requests with tracestate headers are potentially impacted by this vulnerability. The issue is particularly critical in multi-tenant environments where multiple applications may share infrastructure resources, since a DoS attack on one application could have a cascading effect on others.

Code Snippet

The vulnerable code snippet is found in the OpenTelemetry.Api package, specifically around the processing of tracestate and traceparent headers. Here is the function where the vulnerability exists:

private void ProcessTracestateAndTraceparentHeaders(HttpRequest request)
{
    if (request.Headers.TryGetValues("traceparent", out var traceparentValues)
        && request.Headers.TryGetValues("tracestate", out var tracestateValues))
    {
        // Processing traceparent and tracestate header values
    }
}

Exploit Details

An attacker can exploit this vulnerability by sending HTTP requests containing a malicious tracestate header to the target application. The tracestate header does not necessarily need to be well-formed or valid to trigger the high CPU usage, making it relatively easy to craft and launch an attack.

Since the vulnerability is present in the OpenTelemetry.Api package, any application using this package for telemetry purposes is potentially at risk. This includes applications that have not explicitly enabled trace context propagation or even applications that do not actively use the OpenTelemetry APIs for tracing.

Original References

- OpenTelemetry dotnet Repository: https://github.com/open-telemetry/opentelemetry-dotnet
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27513

Solution:

The OpenTelemetry team has fixed this vulnerability in the OpenTelemetry.Api package version 1.11.2. It is highly recommended to upgrade your application to this version or later to mitigate the risk of a DoS attack. To upgrade, update the package reference in your project file or use the following command with the dotnet CLI:

dotnet add package OpenTelemetry.Api --version 1.11.2

In conclusion, it is essential to be aware of this vulnerability (CVE-2025-27513) in the OpenTelemetry.Api package (versions 1.10. to 1.11.1) and take appropriate action to prevent potential DoS attacks on your .NET applications. Upgrading to version 1.11.2 or later will help ensure the security and availability of your services.

Timeline

Published on: 03/05/2025 19:15:39 UTC