Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb.
Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb").
The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded.
MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.
AnalysisAI
Denial of service in the Perl Protocol::HTTP2 module versions up to and including 1.12 lets remote unauthenticated attackers exhaust server memory by sending a small HTTP/2 request that expands massively during HPACK decoding (an 'HTTP/2 bomb'). The module advertises MAX_HEADER_LIST_SIZE in SETTINGS but never enforces it on decode, and version 1.12 made things worse by unbounded CONTINUATION-frame buffering. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but CPANSec has coordinated a vendor patch.
Technical ContextAI
Protocol::HTTP2 is a pure-Perl implementation of the HTTP/2 protocol (RFC 7540) distributed on CPAN under maintainer CRUX, used by Perl HTTP clients and servers to speak HTTP/2 including its HPACK header-compression scheme (RFC 7541). The root cause maps to CWE-409 (Improper Handling of Highly Compressed Data, a.k.a. 'data amplification'): HPACK's static/dynamic indexing lets a tiny on-the-wire byte sequence reference long header names/values, and Protocol::HTTP2's headers_decode in HeaderCompression.pm materialises a full key+value copy per indexed reference with no running size check, while stream_header_block_add in Stream.pm (line 414) appends every CONTINUATION frame to the per-stream buffer without bound starting in 1.12. The MAX_HEADER_LIST_SIZE SETTINGS parameter (default 65536) is advertised to peers but is absent from both the decoder logic and the :limits export tag, so the advertised limit is never enforced - the classic HTTP/2 bomb amplification pattern previously seen in other stacks.
RemediationAI
Apply the vendor-released patch published by CPANSec at https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/CVE-2026-10725-r1.patch and upgrade to the fixed CPAN release once a tagged version above 1.12 is available (patch available per vendor advisory; consult https://seclists.org/oss-sec/2026/q2/828 and https://vuldb.com/vuln/369064 for release tracking). Until the patched module is deployed, the most effective compensating control is to disable HTTP/2 on services backed by Protocol::HTTP2 and serve only HTTP/1.1 (side effect: loss of multiplexing/performance benefits for HTTP/2 clients), or terminate HTTP/2 at a hardened reverse proxy such as nginx or HAProxy that enforces MAX_HEADER_LIST_SIZE and CONTINUATION-frame limits and forward HTTP/1.1 to the Perl backend. As a narrower mitigation, restrict network exposure of any Perl service using this module to trusted clients via firewall ACLs, and cap process memory (e.g. ulimit -v / systemd MemoryMax) so an OOM event terminates only the worker rather than destabilising the host.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34964
GHSA-q432-rmqv-hh8m