Impact
Apache HttpComponents Core contains an unbounded HTTP header/line length weakness in its HTTP/1.1 message parser. The flaw is a resource exhaustion vulnerability (CWE-400) that a remote attacker can use to send HTTP requests with an excessively large number of headers or individual headers that are extremely long. If processed, the parser allocates large amounts of memory, potentially exhausting the application's heap and causing crashes or unresponsiveness.
Affected Systems
The vulnerable component is the Apache Software Foundation's HttpComponents Core library. Versions 5.4.2 and earlier, as well as 5.5-beta1 and earlier, contain the unbounded parser and are therefore vulnerable. The library is embedded in Java web servers, application servers, and HTTP client frameworks that accept external requests, making any exposed endpoint a potential attack surface.
Risk and Exploitability
The CVSS score of 7.5 indicates high severity, with the primary impact being service disruption. EPSS data is not available, so the likelihood of exploitation cannot be quantified, and the vulnerability is not listed in CISA’s KEV catalog. The weakness can be triggered remotely by sending crafted HTTP requests to any exposed endpoint relying on the library. The description does not specify authentication requirements; based on the information, it is inferred that no authentication or privileged access is needed. The attack surface exists wherever the library parses inbound HTTP traffic.
OpenCVE Enrichment