h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0.
History

Tue, 26 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 26 Aug 2025 12:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Moderate


Tue, 26 Aug 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Hyper
Hyper h2
Vendors & Products Hyper
Hyper h2

Mon, 25 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
Description h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0.
Title h2 allows HTTP Request Smuggling due to illegal characters in headers
Weaknesses CWE-93
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-08-26T19:14:49.643Z

Reserved: 2025-08-20T14:30:35.009Z

Link: CVE-2025-57804

cve-icon Vulnrichment

Updated: 2025-08-26T19:14:23.223Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-25T21:15:37.983

Modified: 2025-08-26T13:41:58.950

Link: CVE-2025-57804

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-08-25T21:04:52Z

Links: CVE-2025-57804 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-08-26T08:54:54Z