CVE-2026-10725 - Vulnerability Details

Description

Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb.

Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb").

The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded.

MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.

Published: 2026-06-06

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Protocol::HTTP2’s inbound HPACK path does not enforce a header‑list size limit, allowing a small HTTP/2 request to inflate into a large amount of server memory. The headers_decode method creates a full key‑value copy for each indexed reference without running size checks, and the stream_header_block_add method appends every CONTINUATION frame without bounding the per‑stream buffer. Because the advertised MAX_HEADER_LIST_SIZE setting is never consulted, an attacker can send a crafted request that consumes excessive memory, potentially leading to a server crash or denial of service. This uncontrolled resource consumption aligns with CWE‑409.

Affected Systems

The vulnerable component is CRUX’s Protocol::HTTP2 module. Versions up to and including 1.12 are affected; later releases have not been listed as impacted. Administrators should review the Perl module version in use and ensure it is newer than 1.12 or has the patch applied.

Risk and Exploitability

The vulnerability is remotely exploitable over HTTP/2, requiring only that an attacker be able to send HTTP/2 traffic to the affected server. No special network privilege is required, making the attack straightforward. The immediate consequence is memory exhaustion, which can degrade availability. The EPSS score is not available and the issue is not listed in CISA’s KEV catalog, but the lack of size controls and the high impact of a denial of service warrant close attention. An attacker could exploit this simply by initiating a HTTP/2 connection and sending a sequence of headers that triggers the oversized buffer growth.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CRUX

Protocol::HTTP2

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.12

No data.

No data available yet.

Remediation

Vendor Workaround

Apply the patch.

OpenCVE Recommended Actions

Apply the patch located at https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/CVE-2026-10725-r1.patch to the Protocol::HTTP2 module.
Upgrade to a later release of Protocol::HTTP2 (if a fixed version is available) so that the vulnerability is fully resolved.
Configure the web server or application framework to enforce a maximum header list size for HTTP/2 requests (for example by setting or overriding MAX_HEADER_LIST_SIZE) to contain any remaining risk if the patch cannot be applied immediately.

Generated by OpenCVE AI on June 6, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/06/06/7
https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/source/lib/Protocol/HTTP2/HeaderCompression.pm#L133
https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/source/lib/Protocol/HTTP2/Stream.pm#L414
https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/CVE-2026-10725-r1.patch

History

Sat, 06 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/06/06/7

Sat, 06 Jun 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description		Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb"). The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded. MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.
Title		Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb
Weaknesses		CWE-409
References		https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/source/lib/Protocol/HTTP2/HeaderCompression.pm#L133 https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/source/lib/Protocol/HTTP2/Stream.pm#L414 https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/CVE-2026-10725-r1.patch

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-06-06T09:14:45.652Z

Updated: 2026-06-06T11:31:33.020Z

Reserved: 2026-06-03T09:18:37.572Z

Link: CVE-2026-10725

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-06T10:16:25.790

Modified: 2026-06-06T12:16:39.457

Link: CVE-2026-10725

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-06T11:30:19Z

Weaknesses

CWE-409

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object