Protocol
Monthly
Denial of service in the Perl Protocol::HTTP2 module versions up to and including 1.12 lets remote unauthenticated attackers exhaust server memory by sending a small HTTP/2 request that expands massively during HPACK decoding (an 'HTTP/2 bomb'). The module advertises MAX_HEADER_LIST_SIZE in SETTINGS but never enforces it on decode, and version 1.12 made things worse by unbounded CONTINUATION-frame buffering. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but CPANSec has coordinated a vendor patch.
Authentication bypass in CloudburstMC Protocol, the Minecraft Bedrock Edition protocol library, allows remote unauthenticated attackers to partially bypass token validation by exploiting incomplete checks in EncryptionUtils for FULL type authentication tokens. All versions prior to 3.0.0.Beta12-20260420.182526-15 are affected, impacting any publicly accessible software - such as Bedrock-compatible game servers - that depends on this library's auth payload validation logic. The CVSS vector (AV:N/AC:L/PR:N/UI:N/I:L) confirms low-complexity remote exploitation with limited integrity impact; no public exploit code or CISA KEV listing has been identified at time of analysis.
Denial of service in the Perl Protocol::HTTP2 module versions up to and including 1.12 lets remote unauthenticated attackers exhaust server memory by sending a small HTTP/2 request that expands massively during HPACK decoding (an 'HTTP/2 bomb'). The module advertises MAX_HEADER_LIST_SIZE in SETTINGS but never enforces it on decode, and version 1.12 made things worse by unbounded CONTINUATION-frame buffering. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but CPANSec has coordinated a vendor patch.
Authentication bypass in CloudburstMC Protocol, the Minecraft Bedrock Edition protocol library, allows remote unauthenticated attackers to partially bypass token validation by exploiting incomplete checks in EncryptionUtils for FULL type authentication tokens. All versions prior to 3.0.0.Beta12-20260420.182526-15 are affected, impacting any publicly accessible software - such as Bedrock-compatible game servers - that depends on this library's auth payload validation logic. The CVSS vector (AV:N/AC:L/PR:N/UI:N/I:L) confirms low-complexity remote exploitation with limited integrity impact; no public exploit code or CISA KEV listing has been identified at time of analysis.