Debian H2O vulnerabilities

CVE-2025-8671 [HIGH] CVE-2025-8671: h2o - A mismatch caused by client-triggered server-sent stream resets between HTTP/2 s... A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker

CVE-2024-45397 [MEDIUM] CVE-2024-45397: h2o - h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP... h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on th

CVE-2024-25622 [LOW] CVE-2024-25622: h2o - h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configur... h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has scopes, and the inner scopes (e.g., path level) are expected to inherit the configuration defined in outer scopes (e.g., global level). However, if

CVE-2024-45403 [LOW] CVE-2024-45403: h2o - h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is ... h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. Howev

CVE-2023-44487 [HIGH] CVE-2023-44487: dnsdist - The HTTP/2 protocol allows a denial of service (server resource consumption) bec... The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1.8.2-2) sid: resolved (fixed in 1.8.2-2) trixie: resolved (fixed in 1.8.2-2)

CVE-2023-41337 [MEDIUM] CVE-2023-41337: h2o - h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2... h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o m

CVE-2023-30847 [HIGH] CVE-2023-30847: h2o - H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy... H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been

CVE-2023-50247 [LOW] CVE-2023-50247: h2o - h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The QUIC sta... h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The QUIC stack (quicly), as used by H2O up to commit 43f86e5 (in version 2.3.0-beta and prior), is susceptible to a state exhaustion attack. When H2O is serving HTTP/3, a remote attacker can exploit this vulnerability to progressively increase the memory retained by the QUIC stack. This can eventually ca

CVE-2021-43848 [HIGH] CVE-2021-43848: h2o - h2o is an open source http server. In code prior to the `8c0eca3` commit h2o may... h2o is an open source http server. In code prior to the `8c0eca3` commit h2o may attempt to access uninitialized memory. When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerabilit

CVE-2019-9512 [HIGH] CVE-2019-9512: h2o - Some HTTP/2 implementations are vulnerable to ping floods, potentially leading t... Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. Scope: local bookworm: resolved (fixed in 2.2.5+dfsg2-3) bullse

CVE-2019-9514 [HIGH] CVE-2019-9514: h2o - Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading... Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. Scope: local book

CVE-2019-9515 [HIGH] CVE-2019-9515: h2o - Some HTTP/2 implementations are vulnerable to a settings flood, potentially lead... Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued,

CVE-2018-0608 [CRITICAL] CVE-2018-0608: h2o - Buffer overflow in H2O version 2.2.4 and earlier allows remote attackers to exec... Buffer overflow in H2O version 2.2.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (DoS) via unspecified vectors. Scope: local bookworm: resolved (fixed in 2.2.5+dfsg1-1) bullseye: resolved (fixed in 2.2.5+dfsg1-1)

CVE-2017-10908 [HIGH] CVE-2017-10908: h2o - H2O version 2.2.3 and earlier allows remote attackers to cause a denial of servi... H2O version 2.2.3 and earlier allows remote attackers to cause a denial of service in the server via specially crafted HTTP/2 header. Scope: local bookworm: resolved (fixed in 2.2.4+dfsg-1) bullseye: resolved (fixed in 2.2.4+dfsg-1)

CVE-2017-10872 [MEDIUM] CVE-2017-10872: h2o - H2O version 2.2.3 and earlier allows remote attackers to cause a denial of servi... H2O version 2.2.3 and earlier allows remote attackers to cause a denial of service in the server via unspecified vectors. Scope: local bookworm: resolved (fixed in 2.2.4+dfsg-1) bullseye: resolved (fixed in 2.2.4+dfsg-1)

CVE-2017-10869 [HIGH] CVE-2017-10869: h2o - Buffer overflow in H2O version 2.2.2 and earlier allows remote attackers to caus... Buffer overflow in H2O version 2.2.2 and earlier allows remote attackers to cause a denial-of-service in the server via unspecified vectors. Scope: local bookworm: resolved (fixed in 2.2.3+dfsg-1) bullseye: resolved (fixed in 2.2.3+dfsg-1)

CVE-2017-10868 [HIGH] CVE-2017-10868: h2o - H2O version 2.2.2 and earlier allows remote attackers to cause a denial of servi... H2O version 2.2.2 and earlier allows remote attackers to cause a denial of service in the server via specially crafted HTTP/1 header. Scope: local bookworm: resolved (fixed in 2.2.3+dfsg-1) bullseye: resolved (fixed in 2.2.3+dfsg-1)

CVE-2016-4864 [HIGH] CVE-2016-4864: h2o - H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remote attacke... H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remote attackers to cause a denial-of-service (DoS) via format string specifiers in a template file via fastcgi, mruby, proxy, redirect or reproxy. Scope: local bookworm: resolved bullseye: resolved

CVE-2016-7835 [CRITICAL] CVE-2016-7835: h2o - Use-after-free vulnerability in H2O allows remote attackers to cause a denial-of... Use-after-free vulnerability in H2O allows remote attackers to cause a denial-of-service (DoS) or obtain server certificate private keys and possibly other information. Scope: local bookworm: resolved bullseye: resolved

CVE-2016-1133 [LOW] CVE-2016-1133: h2o - CRLF injection vulnerability in the on_req function in lib/handler/redirect.c in... CRLF injection vulnerability in the on_req function in lib/handler/redirect.c in H2O before 1.6.2 and 1.7.x before 1.7.0-beta3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URI. Scope: local bookworm: resolved bullseye: resolved