Fluid Attacks Database

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	go.opentelemetry.io/otel/baggage	=1.41.0 \|\| >=1.41.0 <1.42.0 \|\| =1.43.0 \|\| >=1.43.0 <1.44.0	1.42.0, 1.44.0
go	go.opentelemetry.io/otel/propagation	=1.41.0 \|\| >=1.41.0 <1.42.0 \|\| =1.43.0 \|\| >=1.43.0 <1.44.0	1.42.0, 1.44.0
debian 12	golang-opentelemetry-otel	=1.1.0-2 \|\| =1.10.0-1 \|\| =1.16.0-1 \|\| =1.16.0-2 \|\| =1.19.0-0 \|\| =1.21.0-1 \|\| =1.21.0-2 \|\| =1.21.0-3 \|\| =1.21.0-4 \|\| =1.31.0-1 \|\| =1.31.0-2 \|\| =1.31.0-3 \|\| =1.31.0-4 \|\| =1.31.0-5 \|\| =1.31.0-6 \|\| =1.43.0-1 \|\| =1.43.0-2 \|\| =1.43.0-3 \|\| =1.43.0-4	-
debian 13	golang-opentelemetry-otel	=1.31.0-4 \|\| =1.31.0-5 \|\| =1.31.0-6 \|\| =1.43.0-1 \|\| =1.43.0-2 \|\| =1.43.0-3 \|\| =1.43.0-4	-
debian 14	golang-opentelemetry-otel	=1.31.0-4 \|\| =1.31.0-5 \|\| =1.31.0-6 \|\| =1.43.0-1 \|\| =1.43.0-2 \|\| =1.43.0-3 \|\| =1.43.0-4	-

Aliases

1. CVE-2026-411782. NVD-2026-411783. OSV-2026-411784. OSV-DEBIAN-2026-411785. GHSA-5wrp-cwcj-q8356. GCVE-2026-411787. SECURITY-TRACKER-CVE-2026-41178

References

1. https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835