Skip to main content

Apache HttpComponents Core CVE-2026-54399

| EUVDEUVD-2026-41094 HIGH
Uncontrolled Resource Consumption (CWE-400)
7.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote unauthenticated low-complexity request triggers memory exhaustion with no confidentiality or integrity impact, so PR:N/AC:L and A:H only, matching the published vector.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 01, 2026 - 18:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 01, 2026 - 18:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 01, 2026 - 18:22 vuln.today
cvss_changed
Severity Changed
Jul 01, 2026 - 18:22 NVD
CRITICAL HIGH
CVSS changed
Jul 01, 2026 - 18:22 NVD
7.5 (CRITICAL) 7.5 (HIGH)
Analysis Generated
Jul 01, 2026 - 16:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Denial of service in Apache HttpComponents Core (HttpCore) 5.0-alpha through 5.4.2 and the 5.5 beta line up to 5.5-beta1 allows a remote unauthenticated attacker to exhaust server memory by sending HTTP/1.1 messages containing an excessive number of headers or excessively long headers. The HTTP/1.1 message parser accumulates this header data without enforcing sane bounds, letting a single crafted request drive availability loss (CVSS 7.5, A:H only). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify HTTP/1.1 endpoint using HttpCore
Delivery
Send request with excessive headers/oversized header
Exploit
Parser buffers header data unbounded
Execution
JVM memory exhausted
Impact
Service crashes or hangs (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires only network reachability to an endpoint that parses inbound HTTP/1.1 messages through Apache HttpComponents Core's message parser - matching AV:N/AC:L/PR:N/UI:N, so no special configuration, authentication, or user interaction is needed against a default deployment that accepts untrusted HTTP/1.1 traffic. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are consistent but point to a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an internet-facing service built on HttpComponents Core sends one or more crafted HTTP/1.1 requests packed with thousands of headers or a single enormous header value. The parser buffers this data without bound, and repeated or large requests exhaust the JVM heap, causing OutOfMemory conditions and taking the service offline. …
Remediation Upgrade Apache HttpComponents Core to a fixed release above the affected ranges - i.e. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all applications and services using Apache HttpCore 5.0-5.4.2 via dependency scanning; assess impact scope across infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54399 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy