amphp/http Host Header Injection vulnerability
amphp/http versions before 1.0.1 allows an attacker to supply invalid input in the Host header which may lead to various type of Host header injection attacks.
Advisories for Composer/Amphp/Http package
2024
AMPHP Denial of Service via HTTP/2 CONTINUATION Frames
amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. amphp/http-client and amphp/http-server are indirectly affected if they're used with an unpatched version of amphp/http. Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected.
2018
Incorrect header injection check
amphp/http isn't properly protected against HTTP header injection.
Improper Neutralization of HTTP Headers for Scripting Syntax
HTTP header injection vulnerability in the http package.