CVE-2025-27513
Published: 05 March 2025
Summary
CVE-2025-27513 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by identifying, reporting, and correcting the specific flaw in OpenTelemetry.Api through patching to version 1.11.2.
Implements denial-of-service protections at system boundaries to block or throttle HTTP requests containing malicious tracestate and traceparent headers that trigger high CPU usage.
Enforces resource allocation quotas and limits to protect against excessive CPU consumption caused by processing malformed trace headers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
This resource exhaustion DoS vulnerability (CWE-770) is directly triggered by crafted HTTP requests containing tracestate/traceparent headers, enabling adversaries to exhaust application CPU resources and cause downtime without requiring authentication.
NVD Description
OpenTelemetry dotnet is a dotnet telemetry framework. A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context…
more
propagation, receiving these headers can still trigger high CPU usage. This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header. Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime. This vulnerability is fixed in 1.11.2.
Deeper analysisAI
CVE-2025-27513 is a denial-of-service vulnerability affecting the OpenTelemetry.Api package versions 1.10.0 through 1.11.1, part of the OpenTelemetry .NET telemetry framework. The flaw triggers high CPU usage when an application receives tracestate and traceparent headers in HTTP requests, even if the application does not explicitly use trace context propagation. This leads to excessive resource consumption in any .NET application accessible over the web or backend services processing such HTTP requests, potentially causing increased latency, degraded performance, or downtime. The issue is rated CWE-770 (allocation of resources without limits or throttling) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote attackers require no privileges or user interaction to exploit this vulnerability by sending HTTP requests containing a tracestate header to affected applications. Exploitation results in denial of service through sustained high CPU utilization, impacting availability without compromising confidentiality or integrity.
The vulnerability is addressed in OpenTelemetry.Api version 1.11.2. Security advisories recommend upgrading to this fixed release. Further details are provided in the GitHub security advisory (GHSA-8785-wc3w-h8q6) and the patching commit (1b555c1201413f2f55f2cd3c4ba03ef4b615b6b5).
Details
- CWE(s)