Vulnerability Database

325,648

Total vulnerabilities in the database

amphp/http-server affected by HTTP/2 DDoS vulnerability

Versions of amphp/http-server prior to 3.4.4 for the 3.x release branch and prior to 2.1.10 for the 2.x release branch are vulnerable to the HTTP/2 "MadeYouReset" DoS attack described by CVE-2025-8671 and https://kb.cert.org/vuls/id/767506.

In versions 3.4.4 and 2.1.10, stream reset protection has been refactored to account for the number of reset streams within a sliding time window.

Note that your application must expose HTTP/2 connections directly to be affected by this vulnerability. Servers behind a proxy using HTTP/1.x such as nginx are not affected.

Published: Feb 10, 2026
Updated: Mar 1, 2026
GHSA: GHSA-8grv-jq2g-cfhw
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
amphp / http-server	3.0.0-beta.1	3.4.4
amphp / http-server	2.0.0-rc1	2.1.10

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo