CVE-2025-57804: h2 allows HTTP Request Smuggling due to illegal characters in headers

August 25, 2025 (updated August 26, 2025)

HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls.

References

github.com/advisories/GHSA-847f-9342-265h
github.com/python-hyper/h2
github.com/python-hyper/h2/commit/035e9899f95e3709af098f578bfc3cd302298e3a
github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h
nvd.nist.gov/vuln/detail/CVE-2025-57804

Code Behaviors & Features

Detect and mitigate CVE-2025-57804 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →