Uncaught "URI malformed" error in baggageHeaderToObject due to invalid percent-encoding in baggage header

[roman-antl-satoshilabs]

Is there an existing issue for this?

• I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
• I have reviewed the documentation https://docs.sentry.io/
• I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Self-hosted/on-premise

Which SDK are you using?

@sentry/node - fastify

SDK Version

9.17.0

Framework Version

node.js

Link to Sentry event

No response

Reproduction Example/SDK Setup

Description:
When the Sentry SDK for Node.js receives a request with an invalid baggage header (containing malformed percent-encoding, e.g. %3G or %4Z), it throws an uncaught URIError: URI malformed exception. This happens because using function decodeURIComponent in baggageHeaderToObject

This causes the entire Node.js process (e.g. Fastify server) to crash before any application-level error handling or middleware can run, making it impossible to sanitize or ignore the header at the application level.

Relevant Code:
Link here

Additional Context:

This issue cannot be worked around at the application level, since Sentry parses the header before any framework middleware or hooks are executed.
The only current workaround is to filter the header at the proxy/load balancer level, which is not always possible.
This can be exploited to cause a denial of service by sending malformed headers.

Steps to Reproduce

1. Start a Node.js server with Sentry SDK enabled (e.g. Fastify, Express).
2. Send a request with a baggage header containing invalid percent-encoding, e.g.: %20%3G%4Z
3. Observe that the server crashes with a URIError: URI malformed originating from Sentry.

Expected Result

Sentry should gracefully handle invalid percent-encoding in the baggage header. Ideally, it should:

Ignore or skip invalid key-value pairs in the header.
Not crash the process.
Optionally log a warning or report the malformed header as a non-fatal event.

Actual Result

The process crashes with an uncaught exception:

URIError: URI malformed
    at decodeURIComponent (<anonymous>)
    at baggageHeaderToObject (.../sentry-javascript/packages/core/src/utils-hoist/baggage.ts:116:32)
    ...

[mydea]

Thanks for raising this, you are right, we should not fail on this - I'll put up a fix!

[github-actions]

A PR closing this issue has just been released 🚀

This issue was referenced by PR #16257, which was included in the 9.18.0 release.