CVE-2025-57804 — CRLF Injection in H2

CWE-93 — CRLF Injection6 documents5 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 79.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python-hyper H2 H2database H2 Debian Python-h2

Timeline

PublishedAug 25

Description

h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Affected Packages3 packages

▶CVEListV5python-hyper/h2< 4.3.0

▶debiandebian/python-h2< python-h2 4.0.0-3+deb11u1 (bullseye)

▶PyPIh2database/h2< 4.3.0

🔴Vulnerability Details

GHSA

h2 allows HTTP Request Smuggling due to illegal characters in headers↗2025-08-25

▶

OSV

CVE-2025-57804: h2 is a pure-Python implementation of a HTTP/2 protocol stack↗2025-08-25

▶

OSV

h2 allows HTTP Request Smuggling due to illegal characters in headers↗2025-08-25

▶

📋Vendor Advisories

Red Hat

h2: h2 allows HTTP Request Smuggling due to illegal characters in headers↗2025-08-25

▶

Debian

CVE-2025-57804: python-h2 - h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version ...↗2025

▶