Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS13OGdmLWcydnEtajJmNM4AA6nf

amphp/http-client Denial of Service via HTTP/2 CONTINUATION Frames

Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client (v4.1.0-rc1 and up) depend on amphp/http for HTTP/2 processing and will therefore need an updated version of amphp/http, see GHSA-qjfw-cvjf-f4fm.

Acknowledgements

Thank you to Bartek Nowotarski for reporting the vulnerability.

Permalink: https://github.com/advisories/GHSA-w8gf-g2vq-j2f4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13OGdmLWcydnEtajJmNM4AA6nf
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 8 months ago
Updated: 8 months ago

CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Identifiers: GHSA-w8gf-g2vq-j2f4
References:

• https://github.com/amphp/http-client/security/advisories/GHSA-w8gf-g2vq-j2f4
• https://github.com/amphp/http/security/advisories/GHSA-qjfw-cvjf-f4fm
• https://github.com/advisories/GHSA-w8gf-g2vq-j2f4

Repository: https://github.com/amphp/http-client
Blast Radius: 22.0

Affected Packages