The OpenTelemetry JavaScript client (opentelemetry-js) versions before 2.8.0 contain a vulnerability (CWE-770) where the W3CBaggagePropagator.extract() method does not enforce the recommended size limits on inbound baggage HTTP headers. While the outbound inject() method enforces limits per the W3C Baggage specification (maximum 8,192 bytes and 180 entries), the extract() method allows parsing of oversized baggage headers without caps, causing memory allocation proportional to the header size. This can result in excessive resource consumption. The vulnerability is addressed in version 2.8.0.

This vulnerability can cause a denial of service condition by exhausting memory resources when processing oversized inbound baggage headers. There is no impact on confidentiality or integrity. The CVSS score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges or user interaction required, and impact limited to availability (memory exhaustion).

Upgrade opentelemetry-js to version 2.8.0 or later, where the issue is fixed by enforcing size limits on inbound baggage headers. No other mitigations are specified. Patch status is not explicitly stated but the fix is available in version 2.8.0.