PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling
Psl\H2\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, in violation of RFC 9113 §8.1.1. A malicious client can: Send more DATA bytes than declared, smuggling additional content past application-level size limits. Send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly. The vulnerability is only reachable …