Description
Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb.

Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb").

The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded.

MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.
Published: 2026-06-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Protocol::HTTP2 versions before 1.13 for Perl are vulnerable to a HTTP/2 bomb because the inbound HPACK decoder does not enforce a header‑list size limit. A small request can inflate into a large server memory allocation. The headers_decode subroutine materialises a full key+value copy for each indexed reference without a running size check, while stream_header_block_add appends every CONTINUATION frame to the per‑stream buffer unbounded. Since the advertised MAX_HEADER_LIST_SIZE setting is never consulted during decoding, an attacker can send a crafted header payload that consumes excessive memory, potentially causing a crash or denial of service. This uncontrolled resource consumption reflects CWE‑409.

Affected Systems

The vulnerable component is CRUX’s Protocol::HTTP2 module. Versions up to and including 1.12 are affected; later releases have not been listed as impacted. Administrators should review the Perl module version in use and ensure it is newer than 1.12 or has the patch applied.

Risk and Exploitability

The vulnerability is remotely exploitable over HTTP/2, requiring only that an attacker be able to send HTTP/2 traffic to the affected server. No special network privilege is required, making the attack straightforward. The immediate consequence is memory exhaustion, which can degrade availability. The EPSS score of 0.00018 indicates a very low but non‑zero exploitation probability, and the issue is not listed in CISA’s KEV catalog. An attacker could exploit this simply by initiating a HTTP/2 connection and sending a sequence of headers that triggers the oversized buffer growth.

Generated by OpenCVE AI on June 9, 2026 at 08:25 UTC.

Remediation

Vendor Workaround

Apply the patch.

OpenCVE Recommended Actions

  • Apply the patch located at https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/CVE-2026-10725-r1.patch to the Protocol::HTTP2 module.
  • Upgrade to a later release of Protocol::HTTP2 (if a fixed version is available) so that the vulnerability is fully resolved.
  • Configure the web server or application framework to enforce a maximum header list size for HTTP/2 requests (for example by setting or overriding MAX_HEADER_LIST_SIZE) to contain any remaining risk if the patch cannot be applied immediately.

Generated by OpenCVE AI on June 9, 2026 at 08:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Crux protocol\
CPEs cpe:2.3:a:crux:protocol\:\:http2:*:*:*:*:*:perl:*:*
Vendors & Products Crux protocol\

Tue, 09 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
References

Tue, 09 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb"). The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded. MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag. Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb"). The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded. MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.
Title Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb
References

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Crux
Crux protocol::http2
Vendors & Products Crux
Crux protocol::http2

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
References

Sat, 06 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb"). The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded. MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.
Title Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb
Weaknesses CWE-409
References

Subscriptions

Crux Protocol::http2 Protocol\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-09T07:20:32.184Z

Reserved: 2026-06-03T09:18:37.572Z

Link: CVE-2026-10725

cve-icon Vulnrichment

Updated: 2026-06-06T11:31:33.020Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-06T10:16:25.790

Modified: 2026-06-10T14:56:34.787

Link: CVE-2026-10725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:30:35Z

Weaknesses
  • CWE-409

    Improper Handling of Highly Compressed Data (Data Amplification)