js · @opentelemetry/coreHeads-up

@opentelemetry/core: W3CBaggagePropagator.extract() size limits enforced

W3CBaggagePropagator.extract() in @opentelemetry/core did not enforce size limits when parsing inbound baggage HTTP headers, while limits were enforced on the o

16 Jun 2026Read 1 minSeverity: schedule it

What changed

W3CBaggagePropagator.extract() in @opentelemetry/core did not enforce size limits when parsing inbound baggage HTTP headers, while limits were enforced on the outbound inject() path. The fix in version 2.8.0 enforces maximum total baggage size of 8,192 bytes, maximum 180 entries, and maximum per-entry size of 4,096 bytes.

Who it affects

Users of @opentelemetry/core who parse inbound baggage headers, especially those using non-HTTP transports or deployments with raised --max-http-header-size.

What to do today

Update @opentelemetry/core to version 2.8.0 or later.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · @opentelemetry/core

@opentelemetry/core: W3CBaggagePropagator.extract() size limits enforced

What changed

Who it affects

What to do today

More on @opentelemetry/core

@angular/core and @angular/compiler Security Advisory: Namespace Sanitization Bypass

@angular/compiler fails to sanitize two-way property bindings on sensitive DOM properties