Cyber Resilience

CVE-2024-2653

High

Published: 03 April 2024

Published
03 April 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0507 90.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2653 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 8.2 (High).

Operationally, ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-2653 affects the amphp/http library's HTTP/2 handling, where CONTINUATION frames are accumulated in an unbounded buffer without enforcing any size limit until the END_HEADERS flag arrives, ultimately triggering an out-of-memory crash. The same flaw is present in the related amphp/http-client component.

An unauthenticated network attacker can exploit the issue by sending a crafted sequence of CONTINUATION frames that never set END_HEADERS, causing unbounded memory growth on the target and resulting in denial of service. The CVSS 8.2 rating reflects network attack vector, low complexity, and high availability impact with only limited integrity consequences.

Public advisories published on GitHub (GHSA-w8gf-g2vq-j2f4, GHSA-qjfw-cvjf-f4fm) and the oss-security mailing list describe the root cause and direct users to apply the patched releases of amphp/http and amphp/http-client.

The associated EPSS score has remained flat at 0.0507 since disclosure, providing no indication of rising exploitation interest.

EU & UK References

Vulnerability details

amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an OOM crash.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References