Impact
hpax decodes HPACK variable-length integers without an upper bound on either the integer value or the number of continuation octets. The decode algorithm accumulates the integer as a bignum, shifting by seven bits for each continuation octet and stopping only on a terminating octet. Because BEAM supports arbitrary precision integers, a long stream of continuation octets creates an O(N)-bit bignum and the cumulative decoding cost grows superlinearly, approximately O(N²). An unauthenticated attacker who can send an HTTP/2 header block to a server using this decoder can supply a small header block that forces a large amount of CPU and transient memory, resulting in a denial‑of‑service amplification.
Affected Systems
The vulnerability affects the elixir-mint hpax library, versions prior to 1.0.4, including all releases from 0.1.1 up to but not including 1.0.4. In particular, any Elixir application that uses hpax to decode HTTP/2 header blocks is susceptible.
Risk and Exploitability
The CVSS score of 8.7 marks this issue as high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. An attacker can trigger the exploit from any network-facing endpoint that accepts HTTP/2 requests, and no authentication is required. The amplification via CPU consumption can exhaust server resources and deny service to legitimate clients.
OpenCVE Enrichment