CVE-2024-2653
Published: 03 April 2024
Summary
CVE-2024-2653 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 8.2 (High).
Operationally, ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-2653 affects the amphp/http library's HTTP/2 handling, where CONTINUATION frames are accumulated in an unbounded buffer without enforcing any size limit until the END_HEADERS flag arrives, ultimately triggering an out-of-memory crash. The same flaw is present in the related amphp/http-client component.
An unauthenticated network attacker can exploit the issue by sending a crafted sequence of CONTINUATION frames that never set END_HEADERS, causing unbounded memory growth on the target and resulting in denial of service. The CVSS 8.2 rating reflects network attack vector, low complexity, and high availability impact with only limited integrity consequences.
Public advisories published on GitHub (GHSA-w8gf-g2vq-j2f4, GHSA-qjfw-cvjf-f4fm) and the oss-security mailing list describe the root cause and direct users to apply the patched releases of amphp/http and amphp/http-client.
The associated EPSS score has remained flat at 0.0507 since disclosure, providing no indication of rising exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1280
Vulnerability details
amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an OOM crash.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.