GHSA-qjfw-cvjf-f4fm

Source

https://github.com/advisories/GHSA-qjfw-cvjf-f4fm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-qjfw-cvjf-f4fm/GHSA-qjfw-cvjf-f4fm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qjfw-cvjf-f4fm

Aliases

CVE-2024-2653

Published

2024-04-03T18:06:45Z

Modified

2024-05-02T19:04:36.643232Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVSS Calculator

Summary

AMPHP Denial of Service via HTTP/2 CONTINUATION Frames

Details

amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. amphp/http-client and amphp/http-server are indirectly affected if they're used with an unpatched version of amphp/http. Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected.

Acknowledgements

Thank you to Bartek Nowotarski for reporting the vulnerability.

References

Affected packages

Packagist / amphp/http

Package

Name: amphp/http
Purl: pkg:composer/amphp/http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.1.1

Affected versions

v2.*

v2.0.0

v2.1.0

Database specific

{
    "last_known_affected_version_range": "<= 2.1.0"
}

Packagist / amphp/http

Package

Name: amphp/http
Purl: pkg:composer/amphp/http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.3

Affected versions

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.2.0

v1.3.0

v1.4.0

v1.5.0

v1.6.0-rc1

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.7.0

v1.7.1

v1.7.2

Database specific

{
    "last_known_affected_version_range": "<= 1.7.2"
}

Packagist / amphp/http-client

Package

Name: amphp/http-client
Purl: pkg:composer/amphp/http-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0-rc10

Last affected

4.0.0

Affected versions

v4.*

v4.0.0-rc10

v4.0.0-rc11

v4.0.0