Vulnerability Database

308,926

Total vulnerabilities in the database

CVE-2025-57804

h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0.

Published: Aug 25, 2025
Updated: Nov 17, 2025
CVE: CVE-2025-57804
GHSA: GHSA-847f-9342-265h
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-93

Affected Software
References

Software	From	Fixed in
h2	-	4.3.0

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo