GHSA-qjfw-cvjf-f4fm

Source
https://github.com/advisories/GHSA-qjfw-cvjf-f4fm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-qjfw-cvjf-f4fm/GHSA-qjfw-cvjf-f4fm.json
Aliases
  • CVE-2024-2653
Published
2024-04-03T18:06:45Z
Modified
2024-04-10T18:55:46.162763Z
Details

amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. amphp/http-client and amphp/http-server are indirectly affected if they're used with an unpatched version of amphp/http. Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected.

Acknowledgements

Thank you to Bartek Nowotarski for reporting the vulnerability.

References

Affected packages

Packagist / amphp/http

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.1.1

Affected versions

v2.*

v2.0.0
v2.1.0

Database specific

{
    "last_known_affected_version_range": "<= 2.1.0"
}

Packagist / amphp/http

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
1.7.3

Affected versions

v1.*

v1.0.0
v1.0.1
v1.1.0
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.6.0-rc1
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.7.0
v1.7.1
v1.7.2

Database specific

{
    "last_known_affected_version_range": "<= 1.7.2"
}