GHSA-mvpq-2v8x-ww6g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mvpq-2v8x-ww6g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-mvpq-2v8x-ww6g/GHSA-mvpq-2v8x-ww6g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mvpq-2v8x-ww6g
- Aliases
- Published
- 2026-01-21T01:05:09Z
- Modified
- 2026-02-03T03:18:15.413864Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- Swift W3C TraceContext vulnerable to a malformed HTTP header causing a crash
- Details
-
Impact
A denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header.
Allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace Context is through Swift OTel.
Patches
https://github.com/swift-otel/swift-w3c-trace-context/commit/5da9b143ba6046734de3fa51dafea28290174e4e
Workarounds
Disable either Swift OTel or the code that extracts the trace information from an incoming header (such as a
TracingMiddleware).References
- Database specific
{ "nvd_published_at": "2026-01-19T21:15:52Z", "github_reviewed_at": "2026-01-21T01:05:09Z", "severity": "MODERATE", "cwe_ids": [ "CWE-20" ], "github_reviewed": true }- References
-
- https://github.com/swift-otel/swift-w3c-trace-context/security/advisories/GHSA-mvpq-2v8x-ww6g
- https://nvd.nist.gov/vuln/detail/CVE-2026-23886
- https://github.com/swift-otel/swift-w3c-trace-context/commit/5da9b143ba6046734de3fa51dafea28290174e4e
- https://github.com/swift-otel/swift-otel/releases/tag/1.0.4
- https://github.com/swift-otel/swift-w3c-trace-context
- https://github.com/swift-otel/swift-w3c-trace-context/releases/tag/1.0.0-beta.5
Affected packages
SwiftURL / github.com/swift-otel/swift-w3c-trace-context
Package
- Name
- github.com/swift-otel/swift-w3c-trace-context
- Purl
- pkg:swift/github.com/swift-otel/swift-w3c-trace-context