GHSA-v3jc-474w-2wm6
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable, unauthenticated attack during HTTP/2 handshake; availability-only impact via heap exhaustion, no confidentiality or integrity effect.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Description PRE-NVD
Articles & Coverage 1
AnalysisAI
Memory exhaustion denial-of-service in Apache HttpComponents Core's HTTP/2 HPACK decoder allows remote attackers to crash Java services by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement is processed. The root cause is a timing gap in the connection handshake: the server's configured maximum header list size limit is not enforced until after the SETTINGS ACK exchange completes, leaving a window during which an attacker can flood the decoder with arbitrarily large compressed header data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses the org.apache.httpcomponents.core5:httpcore5-h2 artifact at version 5.4.2 or earlier (or 5.5-beta1) AND exposes an HTTP/2 endpoint reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The real-world risk is moderate-to-high for any Java application that exposes an HTTP/2 endpoint using the affected httpcore5-h2 artifact, particularly services directly reachable over the internet. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targets a publicly accessible Java service - for example, a REST API or microservice - using the httpcore5-h2 library for HTTP/2 transport. The attacker opens an HTTP/2 connection and immediately sends a HEADERS frame containing a maximally compressed but extremely large set of header fields before the server's SETTINGS ACK is exchanged, bypassing the server's configured header list size limit. … |
| Remediation | The primary remediation is to upgrade org.apache.httpcomponents.core5:httpcore5-h2 to a version that enforces the configured SETTINGS_MAX_HEADER_LIST_SIZE before the SETTINGS ACK completes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Use dependency scanners (Maven, Gradle, SBOMs) to identify all Java applications using org.apache.httpcomponents.core5:httpcore5-h2 versions 5.4.2 or earlier, or 5.5-beta1 and earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Httpcomponents Core
View allSame weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41095