PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50272 DataDog CVE debrief

CVE-2026-50272 is a high-severity vulnerability in the Datadog APM client for Node.js, allowing for a remote denial of service via unbounded CPU and memory consumption. The issue was fixed in version 5.100.0. This vulnerability affects users of Datadog APM client for Node.js, especially those with baggage propagation enabled. The vulnerability allows a remote, unauthenticated attacker to send a request with an arbitrarily large number of comma-separated key-value pairs or a single very large value, causing unbounded CPU and memory consumption. The issue was introduced in the W3C baggage propagation in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing/propagation/text_map.js, where incoming baggage HTTP headers were parsed without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES on extraction.

Vendor
DataDog
Product
dd-trace-js
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Datadog APM client for Node.js, especially those with baggage propagation enabled, should update to version 5.100.0 or later to mitigate this vulnerability. This includes operators managing affected systems, platform administrators, vulnerability management teams, and security teams who need to assess the impact and implement necessary controls.

Technical summary

CVE-2026-50272 is a denial of service vulnerability in the Datadog APM client for Node.js. Prior to version 5.100.0, the W3C baggage propagation in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing/propagation/text_map.js parsed incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES on extraction. This allows a remote, unauthenticated attacker to send a request with an arbitrarily large number of comma-separated key-value pairs or a single very large value, causing unbounded CPU and memory consumption.

Defensive priority

High priority due to potential for remote denial of service with low authentication requirements and significant resource consumption implications. Verify system readiness for potential traffic spikes and ensure monitoring is in place for unusual patterns that could indicate exploitation attempts. Consider rate limiting or other traffic shaping controls if feasible without impacting service availability. Implement additional logging and alerting around baggage header processing to quickly detect potential attacks. Review system performance benchmarks to ensure they account for the potential impact of large baggage headers. Consider compensating controls such as IP blocking or rate limiting if vendor patching cannot be immediately applied. Ensure incident response plans are updated to include procedures for handling potential denial of service attacks through this vulnerability. Conduct a thorough review of system dependencies and integrations to identify potential points of vulnerability. Develop a plan for rapid verification and deployment of future patches from Datadog. Coordinate with Datadog support to understand their stance on temporary mitigations while patching is in progress. Consider engaging with security researchers or threat intelligence feeds to stay informed about potential exploit development and mitigation strategies. Review and update security policies to include specific guidance on handling denial of service vulnerabilities in critical components like dd-trace. Ensure that security awareness training includes content on the risks associated with denial of service attacks and the importance of timely patching. Develop and implement custom detection rules to identify potential exploitation attempts in logs and network traffic. Consider conducting penetration testing or red team exercises to validate system defenses against denial of service attacks through this vulnerability. Review and refine incident response playbooks to include specific runbooks for CVE-2026-50272 exploitation attempts. Ensure that all relevant teams are aware of the vulnerability and its potential impact, and that clear communication channels are established for reporting.

Recommended defensive actions

  • Update to version 5.100.0 or later
  • Verify and enforce DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES
  • Monitor for suspicious traffic patterns
  • Implement compensating controls such as rate limiting
  • Review system performance benchmarks to ensure they account for the potential impact of large baggage headers
  • Conduct a thorough review of system dependencies and integrations to identify potential points of vulnerability
  • Develop a plan for rapid verification and deployment of future patches from Datadog

Evidence notes

The CVE record was published on 2026-07-17T21:17:07.200Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. Official references include commits, pull requests, and release notes from the Datadog dd-trace-js repository. Evidence limits suggest verifying the impact of large baggage headers on system resources and confirming whether additional mitigations beyond updating to version 5.100.0 are necessary.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T21:17:07.200Z and has not been modified since then.