GHSA-hf6x-8p5f-cgmf
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote unauthenticated low-complexity request triggers memory exhaustion with no confidentiality or integrity impact, so PR:N/AC:L and A:H only, matching the published vector.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6Description PRE-NVD
Articles & Coverage 1
AnalysisAI
Denial of service in Apache HttpComponents Core (HttpCore) 5.0-alpha through 5.4.2 and the 5.5 beta line up to 5.5-beta1 allows a remote unauthenticated attacker to exhaust server memory by sending HTTP/1.1 messages containing an excessive number of headers or excessively long headers. The HTTP/1.1 message parser accumulates this header data without enforcing sane bounds, letting a single crafted request drive availability loss (CVSS 7.5, A:H only). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network reachability to an endpoint that parses inbound HTTP/1.1 messages through Apache HttpComponents Core's message parser - matching AV:N/AC:L/PR:N/UI:N, so no special configuration, authentication, or user interaction is needed against a default deployment that accepts untrusted HTTP/1.1 traffic. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are consistent but point to a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach an internet-facing service built on HttpComponents Core sends one or more crafted HTTP/1.1 requests packed with thousands of headers or a single enormous header value. The parser buffers this data without bound, and repeated or large requests exhaust the JVM heap, causing OutOfMemory conditions and taking the service offline. … |
| Remediation | Upgrade Apache HttpComponents Core to a fixed release above the affected ranges - i.e. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all applications and services using Apache HttpCore 5.0-5.4.2 via dependency scanning; assess impact scope across infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Httpcomponents Core
View allSame weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41094