VulnerableCode Package Details - pkg:nuget/OpenTelemetry.Api@1.11.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-wsjz-93sc-euds Aliases: CVE-2026-40894 GHSA-g94r-2vxg-569j	OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.	1.15.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-wsjz-93sc-euds
Aliases:
CVE-2026-40894
GHSA-g94r-2vxg-569j

OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.

1.15.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-6std-yecc-7khy	OpenTelemetry dotnet is a dotnet telemetry framework. A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage. This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header. Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime. This vulnerability is fixed in 1.11.2.	CVE-2025-27513 GHSA-8785-wc3w-h8q6

Vulnerability

Summary

Aliases

VCID-6std-yecc-7khy

OpenTelemetry dotnet is a dotnet telemetry framework. A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage. This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header. Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime. This vulnerability is fixed in 1.11.2.

CVE-2025-27513
GHSA-8785-wc3w-h8q6

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-15T01:54:54.063113+00:00	GHSA Importer	Fixing	VCID-6std-yecc-7khy	https://github.com/advisories/GHSA-8785-wc3w-h8q6	38.6.0
2026-06-12T22:12:42.129506+00:00	GitLab Importer	Affected by	VCID-wsjz-93sc-euds	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/OpenTelemetry.Api/CVE-2026-40894.yml	38.6.0
2026-06-12T19:54:12.355096+00:00	GitLab Importer	Fixing	VCID-6std-yecc-7khy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/OpenTelemetry.Api/CVE-2025-27513.yml	38.6.0
2026-06-12T07:53:57.798319+00:00	GithubOSV Importer	Fixing	VCID-6std-yecc-7khy	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-8785-wc3w-h8q6/GHSA-8785-wc3w-h8q6.json	38.6.0