CVE-2024-2653
published 2024-04-03CVE-2024-2653: amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an…
PriorityP261high8.2CVSS 3.1
AVNACLPRNUINSUCNILAH
EPSS
83.24%
99.6th percentile
amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an OOM crash.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| amphp | amphp_http | 2.0.0-beta.1 – 2.1.0 | — |
| amphp | amphp_http | v1.6.0-rc1 – 1.7.2 | — |
| amphp | amphp_http-client | v4.0.0-rc10 – 4.0.0 | — |
| amphp | http | >= 0 < 1.7.3 | 1.7.3 |
| amphp | http | >= 2.0.0 < 2.1.1 | 2.1.1 |
| amphp | http-client | 4.0.0-rc10 – 4.0.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unbounded HTTP/2 CONTINUATION frame floods targeting a single stream — an unauthenticated remote attacker sends repeated CONTINUATION frames without the END_HEADERS flag set, exhausting server memory (OOM) or compute resources. ↗
- →Monitor for a high volume of HTTP/2 CONTINUATION frames sent within a single stream from unauthenticated sources, which is the attack vector for this DoS vulnerability. ↗
- ·No practical mitigation has been identified by Red Hat — patching the affected amphp/http package is the only recommended remediation. The system should recover normal operations on its own once an attack ends. ↗
- ·The vulnerability requires no authentication to exploit, making it trivially accessible to any remote attacker with network access to the server. ↗
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
AMPHP Denial of Service via HTTP/2 CONTINUATION Frames
osv·2024-04-03
CVE-2024-2653 [HIGH] AMPHP Denial of Service via HTTP/2 CONTINUATION Frames
AMPHP Denial of Service via HTTP/2 CONTINUATION Frames
`amphp/http` will collect HTTP/2 `CONTINUATION` frames in an unbounded buffer and will not check the header size limit until it has received the `END_HEADERS` flag, resulting in an OOM crash. `amphp/http-client` and `amphp/http-server` are indirectly affected if they're used with an unpatched version of `amphp/http`. Early versions of `amphp/http-client` with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected.
## Acknowledgements
Thank you to [Bartek Nowotarski](https://nowotarski.info/) for reporting the vulnerability.
GHSA
AMPHP Denial of Service via HTTP/2 CONTINUATION Frames
ghsa·2024-04-03
CVE-2024-2653 [HIGH] AMPHP Denial of Service via HTTP/2 CONTINUATION Frames
AMPHP Denial of Service via HTTP/2 CONTINUATION Frames
`amphp/http` will collect HTTP/2 `CONTINUATION` frames in an unbounded buffer and will not check the header size limit until it has received the `END_HEADERS` flag, resulting in an OOM crash. `amphp/http-client` and `amphp/http-server` are indirectly affected if they're used with an unpatched version of `amphp/http`. Early versions of `amphp/http-client` with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected.
## Acknowledgements
Thank you to [Bartek Nowotarski](https://nowotarski.info/) for reporting the vulnerability.
Red Hat
amphp: CONTINUATION frames DoS
vendor_redhat·2024-04-03·CVSS 8.2
CVE-2024-2653 [HIGH] CWE-400 amphp: CONTINUATION frames DoS
amphp: CONTINUATION frames DoS
amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an OOM crash.
A vulnerability was found in how amphp implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up compute or memory resources to cause a Denial of Service.
Statement: Red Hat rates the security impact of this vulnerability as Important due to the worst case scenario resulting in a denial of service. It is simple to exploit, could significantly impact availability, and there is no reaso
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2024/04/03/16https://github.com/amphp/http-client/security/advisories/GHSA-w8gf-g2vq-j2f4https://github.com/amphp/http/security/advisories/GHSA-qjfw-cvjf-f4fmhttp://www.openwall.com/lists/oss-security/2024/04/03/16https://github.com/amphp/http-client/security/advisories/GHSA-w8gf-g2vq-j2f4https://github.com/amphp/http/security/advisories/GHSA-qjfw-cvjf-f4fmhttps://www.kb.cert.org/vuls/id/421644
2024-04-03
Published