CVE-2025-57804
published 2025-08-25CVE-2025-57804: h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform…
PriorityP345medium6.9CVSS 4.0
AVNACLATNPRNUINVCNVINVANSCNSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.61%
72.9th percentile
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-h2 | < python-h2 4.0.0-3+deb11u1 (bullseye) | python-h2 4.0.0-3+deb11u1 (bullseye) |
| h2database | h2 | >= 0 < 4.3.0 | 4.3.0 |
| python-hyper | h2 | < 4.3.0 | 4.3.0 |
CVSS provenance
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.9MEDIUM
vendor_debian6.9MEDIUM
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
h2 allows HTTP Request Smuggling due to illegal characters in headers
ghsa·2025-08-25
CVE-2025-57804 [MEDIUM] CWE-93 h2 allows HTTP Request Smuggling due to illegal characters in headers
h2 allows HTTP Request Smuggling due to illegal characters in headers
### Summary
HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls.
OSV
CVE-2025-57804: h2 is a pure-Python implementation of a HTTP/2 protocol stack
osv·2025-08-25·CVSS 6.9
CVE-2025-57804 [MEDIUM] CVE-2025-57804: h2 is a pure-Python implementation of a HTTP/2 protocol stack
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0.
OSV
h2 allows HTTP Request Smuggling due to illegal characters in headers
osv·2025-08-25
CVE-2025-57804 [MEDIUM] h2 allows HTTP Request Smuggling due to illegal characters in headers
h2 allows HTTP Request Smuggling due to illegal characters in headers
### Summary
HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls.
Red Hat
h2: h2 allows HTTP Request Smuggling due to illegal characters in headers
vendor_redhat·2025-08-25·CVSS 6.9
CVE-2025-57804 [MEDIUM] CWE-93 h2: h2 allows HTTP Request Smuggling due to illegal characters in headers
h2: h2 allows HTTP Request Smuggling due to illegal characters in headers
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0.
A vulnerability was found in python-hyper/h2 that contains an input validation flaw that allows carriage return and line feed (CRLF) characters to be injected into HTTP/2 header fields. When requests are downgraded from HTTP/2 to HTTP/1.1, the library fails
Debian
CVE-2025-57804: python-h2 - h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version ...
vendor_debian·2025·CVSS 6.9
CVE-2025-57804 [MEDIUM] CVE-2025-57804: python-h2 - h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version ...
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0.
Scope: local
bookworm: open
bullseye: resolved (fixed in 4.0.0-3+deb11u1)
forky: resolved (fixed in 4.3.0-1)
sid: resolved (fixed in 4.3.0-1)
trixie: open
No detection rules found.
No public exploits indexed.
2025-08-25
Published