First published: Wed Apr 03 2024(Updated: )
`amphp/http` will collect HTTP/2 `CONTINUATION` frames in an unbounded buffer and will not check the header size limit until it has received the `END_HEADERS` flag, resulting in an OOM crash. `amphp/http-client` and `amphp/http-server` are indirectly affected if they're used with an unpatched version of `amphp/http`. Early versions of `amphp/http-client` with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected. ## Acknowledgements Thank you to [Bartek Nowotarski](https://nowotarski.info/) for reporting the vulnerability.
Affected Software | Affected Version | How to fix |
---|---|---|
composer/amphp/http | <=1.7.2 | 1.7.3 |
composer/amphp/http | >=2.0.0<=2.1.0 | 2.1.1 |
composer/amphp/http-client | >=4.0.0-rc10<=4.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.