[GHSA-mh2q-q3fh-2475] OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

[Ankush-Pathak]

Updates

• Affected products

Comments
The currently listed affected package names (go.opentelemetry.io/otel/propagation and go.opentelemetry.io/otel/baggage) are Go packages rather than Go modules.

This distinction creates a downstream detection issue:

SBOM Generation: SBOM generators (like Syft) cannot detect these packages within compiled binaries, meaning they do not include the affected paths in their output.

Vulnerability Scanning: Consequently, CVE scanners (like Grype) that rely on GHSA records fail to detect the vulnerability because the required path was never emitted by the SBOM generator.

A Similar Example:
For a comparable situation, see advisory GHSA-98j2-3j3p-fw2v at GHSA-98j2-3j3p-fw2v. In that instance, the vulnerability and its corresponding fix (gofiber/fiber@66a8814) are located in the specific package github.com/gofiber/fiber/v2/middleware/session. However, the advisory is reported as affecting the parent module (github.com/gofiber/fiber) too.

[github]

Hi there @dashpole! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory