CVE-2025-57804

Summary

HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls.

Published: Aug 25, 2025
Updated: Aug 26, 2025
CVE: CVE-2025-57804
GHSA: GHSA-847f-9342-265h
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-93

Affected Software
References

Software	From	Fixed in
h2	-	4.3.0

https://github.com/python-hyper/h2/commit/035e9899f95e3709af098f578bfc3cd302298e3a
https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h

Vulnerability Database

CVE-2025-57804

Summary