Skip to main content

Protocol::HTTP2 CVE-2026-10725

| EUVDEUVD-2026-34964 HIGH
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-06-06 CPANSec GHSA-q432-rmqv-hh8m
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 19:24 vuln.today
CVSS changed
Jun 08, 2026 - 19:22 NVD
7.5 (HIGH)
CVE Published
Jun 06, 2026 - 09:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb.

Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb").

The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded.

MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.

AnalysisAI

Denial of service in the Perl Protocol::HTTP2 module versions up to and including 1.12 lets remote unauthenticated attackers exhaust server memory by sending a small HTTP/2 request that expands massively during HPACK decoding (an 'HTTP/2 bomb'). The module advertises MAX_HEADER_LIST_SIZE in SETTINGS but never enforces it on decode, and version 1.12 made things worse by unbounded CONTINUATION-frame buffering. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but CPANSec has coordinated a vendor patch.

Technical ContextAI

Protocol::HTTP2 is a pure-Perl implementation of the HTTP/2 protocol (RFC 7540) distributed on CPAN under maintainer CRUX, used by Perl HTTP clients and servers to speak HTTP/2 including its HPACK header-compression scheme (RFC 7541). The root cause maps to CWE-409 (Improper Handling of Highly Compressed Data, a.k.a. 'data amplification'): HPACK's static/dynamic indexing lets a tiny on-the-wire byte sequence reference long header names/values, and Protocol::HTTP2's headers_decode in HeaderCompression.pm materialises a full key+value copy per indexed reference with no running size check, while stream_header_block_add in Stream.pm (line 414) appends every CONTINUATION frame to the per-stream buffer without bound starting in 1.12. The MAX_HEADER_LIST_SIZE SETTINGS parameter (default 65536) is advertised to peers but is absent from both the decoder logic and the :limits export tag, so the advertised limit is never enforced - the classic HTTP/2 bomb amplification pattern previously seen in other stacks.

RemediationAI

Apply the vendor-released patch published by CPANSec at https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/CVE-2026-10725-r1.patch and upgrade to the fixed CPAN release once a tagged version above 1.12 is available (patch available per vendor advisory; consult https://seclists.org/oss-sec/2026/q2/828 and https://vuldb.com/vuln/369064 for release tracking). Until the patched module is deployed, the most effective compensating control is to disable HTTP/2 on services backed by Protocol::HTTP2 and serve only HTTP/1.1 (side effect: loss of multiplexing/performance benefits for HTTP/2 clients), or terminate HTTP/2 at a hardened reverse proxy such as nginx or HAProxy that enforces MAX_HEADER_LIST_SIZE and CONTINUATION-frame limits and forward HTTP/1.1 to the Perl backend. As a narrower mitigation, restrict network exposure of any Perl service using this module to trusted clients via firewall ACLs, and cap process memory (e.g. ulimit -v / systemd MemoryMax) so an OOM event terminates only the worker rather than destabilising the host.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.1 Affected

Share

CVE-2026-10725 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy