Description
Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers / excessive header length
Published: 2026-07-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache HttpComponents Core contains an unbounded HTTP header/line length weakness in its HTTP/1.1 message parser. The flaw is a resource exhaustion vulnerability (CWE-400) that a remote attacker can use to send HTTP requests with an excessively large number of headers or individual headers that are extremely long. If processed, the parser allocates large amounts of memory, potentially exhausting the application's heap and causing crashes or unresponsiveness.

Affected Systems

The vulnerable component is the Apache Software Foundation's HttpComponents Core library. Versions 5.4.2 and earlier, as well as 5.5-beta1 and earlier, contain the unbounded parser and are therefore vulnerable. The library is embedded in Java web servers, application servers, and HTTP client frameworks that accept external requests, making any exposed endpoint a potential attack surface.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, with the primary impact being service disruption. EPSS data is not available, so the likelihood of exploitation cannot be quantified, and the vulnerability is not listed in CISA’s KEV catalog. The weakness can be triggered remotely by sending crafted HTTP requests to any exposed endpoint relying on the library. The description does not specify authentication requirements; based on the information, it is inferred that no authentication or privileged access is needed. The attack surface exists wherever the library parses inbound HTTP traffic.

Generated by OpenCVE AI on July 2, 2026 at 13:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to HttpComponents Core 5.5 or a later release that includes the fixed parser.
  • If an upgrade is not immediately possible, enforce header size limits at the network perimeter, such as through a reverse proxy or firewall rejects requests with more than the allowed number of headers or header values exceeding a safe length.
  • Configure the application or embedded HTTP server to validate header counts and lengths, ensuring that any oversized headers are rejected before reaching the parser.

Generated by OpenCVE AI on July 2, 2026 at 13:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Description Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers / excessive header length
Title Apache HttpComponents Core: Unbounded HTTP Header/Line Length in Default Configuration
Weaknesses CWE-400
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-01T17:36:47.358Z

Reserved: 2026-06-13T10:04:54.084Z

Link: CVE-2026-54399

cve-icon Vulnrichment

Updated: 2026-07-01T17:36:47.358Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T13:15:02Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption