Headline
GHSA-w8gf-g2vq-j2f4: amphp/http-client Denial of Service via HTTP/2 CONTINUATION Frames
Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client (v4.1.0-rc1 and up) depend on amphp/http for HTTP/2 processing and will therefore need an updated version of amphp/http, see GHSA-qjfw-cvjf-f4fm.
Acknowledgements
Thank you to Bartek Nowotarski for reporting the vulnerability.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-w8gf-g2vq-j2f4
amphp/http-client Denial of Service via HTTP/2 CONTINUATION Frames
High severity GitHub Reviewed Published Apr 3, 2024 in amphp/http-client • Updated Apr 3, 2024
Package
composer amphp/http-client (Composer)
Affected versions
>= 4.0.0-rc10, <= 4.0.0
Patched versions
4.1.0-rc1
Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client (v4.1.0-rc1 and up) depend on amphp/http for HTTP/2 processing and will therefore need an updated version of amphp/http, see GHSA-qjfw-cvjf-f4fm.
Acknowledgements
Thank you to Bartek Nowotarski for reporting the vulnerability.
References
- GHSA-w8gf-g2vq-j2f4
- GHSA-qjfw-cvjf-f4fm
Published to the GitHub Advisory Database
Apr 3, 2024