OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation
The practical availability impact for most Node.js deployments is limited. Node.js enforces a default –max-http-header-size of 16,384 bytes on the total combined size of all HTTP headers, constraining what an external attacker can deliver before the propagator is reached. Additionally, the header is already in memory (parsed by the HTTP layer) by the time it reaches the propagator - the additional allocation is the overhead of splitting into entry objects, …