CVE-2023-26044 — Uncontrolled Resource Consumption in Http

CWE-400 — Uncontrolled Resource Consumption5 documents4 sources

Severity

5.3MEDIUMNVD

GHSA7.5OSV7.5

EPSS

0.1%

top 65.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Reactphp Http React Http

Timeline

PublishedMay 17

Description

react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the RequestBodyBufferMiddleware with very large settings. This might lead to consuming large amounts of CPU time for processing…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDreactphp/http0.8.0 — 1.9.0

▶CVEListV5reactphp/http>= 0.8.0, < 1.9.0

▶Packagistreact/http0.8.0 — 1.9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

ReactPHP's HTTP server continues parsing unused multipart parts after reaching input field and file upload limits↗2023-05-17

▶

OSV

ReactPHP's HTTP server continues parsing unused multipart parts after reaching input field and file upload limits↗2023-05-17

▶

CVEList

ReactPHP's HTTP server continues parsing unused multipart parts after reaching limits↗2023-05-17

▶

OSV

CVE-2023-26044: react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP↗2023-05-17

▶