cbcvebase.
CVE-2024-2653
published 2024-04-03

CVE-2024-2653: amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an…

PriorityP261high8.2CVSS 3.1
AVNACLPRNUINSUCNILAH
EPSS
83.24%
99.6th percentile
amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an OOM crash.

Affected

6 ranges
VendorProductVersion rangeFixed in
amphpamphp_http2.0.0-beta.1 – 2.1.0
amphpamphp_httpv1.6.0-rc1 – 1.7.2
amphpamphp_http-clientv4.0.0-rc10 – 4.0.0
amphphttp>= 0 < 1.7.31.7.3
amphphttp>= 2.0.0 < 2.1.12.1.1
amphphttp-client4.0.0-rc10 – 4.0.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unbounded HTTP/2 CONTINUATION frame floods targeting a single stream — an unauthenticated remote attacker sends repeated CONTINUATION frames without the END_HEADERS flag set, exhausting server memory (OOM) or compute resources.
  • Monitor for a high volume of HTTP/2 CONTINUATION frames sent within a single stream from unauthenticated sources, which is the attack vector for this DoS vulnerability.
  • ·No practical mitigation has been identified by Red Hat — patching the affected amphp/http package is the only recommended remediation. The system should recover normal operations on its own once an attack ends.
  • ·The vulnerability requires no authentication to exploit, making it trivially accessible to any remote attacker with network access to the server.

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.