Allocation of Resources Without Limits or Throttling
CVE-2024-28182
Summary
The nghttp2 package is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library, prior to version 1.61.0, keeps reading the unbounded number of HTTP/2 "CONTINUATION" frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. In nghttp2 mitigates this vulnerability by limiting the number of "CONTINUATION" frames it accepts per stream. This vulnerability also affects github.com/nghttp2/nghttp2 package versions prior to 1.61.0. There is no workaround for this vulnerability.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- LOW
CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
References
Advisory Timeline
- Published