amphp/http-client Denial of Service via HTTP/2 CONTINUATION Frames

Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client (v4.1.0-rc1 and up) depend on amphp/http for HTTP/2 processing and will therefore need an updated version of amphp/http, see GHSA-qjfw-cvjf-f4fm.

Acknowledgements

Thank you to Bartek Nowotarski for reporting the vulnerability.

Published: Apr 3, 2024
Updated: Apr 11, 2024
GHSA: GHSA-w8gf-g2vq-j2f4
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CWEs:

CWE-789
CWE-770

Affected Software
References

Software	From	Fixed in
amphp / http-client	4.0.0-rc10	4.1.0-rc1

https://github.com/amphp/http-client/security/advisories/GHSA-w8gf-g2vq-j2f4
https://github.com/amphp/http/security/advisories/GHSA-qjfw-cvjf-f4fm

Vulnerability Database

amphp/http-client Denial of Service via HTTP/2 CONTINUATION Frames

Acknowledgements

Deep Security Visibility Without the Complexity