CVE-2026-50272

DataDog · dd-trace-js

The DataDog dd-trace-js library is vulnerable to resource exhaustion due to improper allocation of resources without limits, enabling remote denial of service.

Executive summary

The DataDog dd-trace-js library contains a high severity vulnerability that permits unauthenticated remote attackers to exhaust system resources and cause service disruption.

Vulnerability

This vulnerability is classified as CWE-770, which involves the allocation of resources without appropriate limits or throttling. The flaw is remotely exploitable without authentication or user interaction.

Business impact

With a CVSS score of 7.5, this vulnerability represents a substantial risk to the availability of Node based applications utilizing the Datadog APM client. Exploitation can lead to application crashes or severe performance degradation, which negatively impacts service reliability and operational continuity.

Remediation

Immediate Action: Update the dd-trace-js package to version 5.100.0 or higher to apply the necessary resource handling fixes.

Proactive Monitoring: Review application logs for abnormal error rates or process termination events that may indicate resource exhaustion attempts.

Compensating Controls: Ensure that the underlying Node environment has configured resource limits, such as memory heap constraints, to mitigate the impact of potential exhaustion attacks.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Maintaining service uptime is critical for monitoring infrastructure. Security teams should ensure that all instances of the dd-trace-js library are updated to version 5.100.0 immediately to prevent potential denial of service attacks that could compromise application monitoring and stability.