Description
PHP Standard Library (PSL) is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\H2\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, allowing request smuggling. This is in violation of RFC 9113 §8.1.1. A malicious client is able to send more DATA bytes than declared, smuggling additional content past application-level size limits and send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly.
The vulnerability is only reachable for consumers using Psl\H2\ServerConnection directly to accept untrusted client traffic. Consumers of documented high-level PSL APIs are not affected. This issue has been fixed in versions 6.1.2 and 6.2.1.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the PSL HTTP/2 ServerConnection, which fails to verify that the total bytes received in DATA frames match the Content-Length declared in the HEADERS frame. A malicious client can send more or fewer bytes than specified, allowing request smuggling. This causes applications that rely on the declared length to accept unexpected or truncated data, potentially bypassing size limits or affecting application logic. The weakness is formally identified as CWE‑444.

Affected Systems

The issue affects PHP Standard Library versions 6.1.0, 6.1.1, and 6.2.0 for consumers that invoke Psl\H2\ServerConnection directly to accept untrusted HTTP/2 traffic. Applications using higher‑level PSL APIs are not affected. The fix is released in 6.1.2 and 6.2.1.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability presents moderate to high severity, and the EPSS score of less than 1% indicates a very low current probability of exploitation. It is not listed in the CISA KEV catalog. Because the flaw is only reachable when developers use the low‑level ServerConnection class with external clients, the attack vector requires a client that can speak HTTP/2 and send crafted frames. An attacker would need to target an application that directly instantiates this class for incoming traffic.

Generated by OpenCVE AI on June 18, 2026 at 19:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PHP Standard Library to version 6.1.2 or later, which includes the fix for the request smuggling issue.
  • Avoid using Psl\H2\ServerConnection directly to handle untrusted HTTP/2 traffic; instead, rely on higher‑level PSL APIs that perform proper content‑length validation.
  • If a low‑level server is required, add explicit checks that the total bytes received in DATA frames match the Content-Length header before processing the request payload.

Generated by OpenCVE AI on June 18, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description PHP Standard Library (PSL) is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\H2\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, allowing request smuggling. This is in violation of RFC 9113 §8.1.1. A malicious client is able to send more DATA bytes than declared, smuggling additional content past application-level size limits and send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly. The vulnerability is only reachable for consumers using Psl\H2\ServerConnection directly to accept untrusted client traffic. Consumers of documented high-level PSL APIs are not affected. This issue has been fixed in versions 6.1.2 and 6.2.1.
Title PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T13:11:32.959Z

Reserved: 2026-05-26T23:26:07.974Z

Link: CVE-2026-48979

cve-icon Vulnrichment

Updated: 2026-06-18T13:11:28.025Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')