GHSA-w8gf-g2vq-j2f4: amphp/http-client Denial of Service via HTTP/2 CONTINUATION Frames

April 3, 2024

Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client (v4.1.0-rc1 and up) depend on amphp/http for HTTP/2 processing and will therefore need an updated version of amphp/http, see GHSA-qjfw-cvjf-f4fm.

References

github.com/advisories/GHSA-w8gf-g2vq-j2f4
github.com/amphp/http-client
github.com/amphp/http-client/security/advisories/GHSA-w8gf-g2vq-j2f4
github.com/amphp/http/security/advisories/GHSA-qjfw-cvjf-f4fm

Detect and mitigate GHSA-w8gf-g2vq-j2f4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →