{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "description", "text": "Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the \"HTTP/2 bomb\"). The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded. MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.", "title": "Vulnerability Description" } ], "publisher": { "category": "other", "contact_details": "gdt@cpan.org", "name": "giterlizzi", "namespace": "https://github.com/giterlizzi/" }, "references": [ { "category": "self", "summary": "CPANSA-Protocol-HTTP2-2026-10725 JSON", "url": "https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2026/cpansa-protocol-http2-2026-10725.json" }, { "category": "external", "summary": "https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/source/lib/Protocol/HTTP2/HeaderCompression.pm#L133", "url": "https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/source/lib/Protocol/HTTP2/HeaderCompression.pm#L133" }, { "category": "external", "summary": "https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/source/lib/Protocol/HTTP2/Stream.pm#L414", "url": "https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/source/lib/Protocol/HTTP2/Stream.pm#L414" }, { "category": "external", "summary": "https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/CVE-2026-10725-r1.patch", "url": "https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/CVE-2026-10725-r1.patch" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2026/06/06/7", "url": "http://www.openwall.com/lists/oss-security/2026/06/06/7" }, { "category": "external", "summary": "CVE-2026-10725 (NVD)", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10725" } ], "title": "Protocol-HTTP2 vulnerability", "tracking": { "current_release_date": "2026-06-06T00:00:00", "generator": { "engine": { "name": "CSAF Perl Toolkit", "version": "0.26" } }, "id": "CPANSA-Protocol-HTTP2-2026-10725", "initial_release_date": "2026-06-06T00:00:00", "revision_history": [ { "date": "2026-06-06T00:00:00", "number": "1", "summary": "First release" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:cpan/>0", "product": { "name": "Protocol-HTTP2 greater than 0", "product_id": "CSAFPID-0001", "product_identification_helper": { "purl": "pkg:cpan/Protocol-HTTP2" } } } ], "category": "product_name", "name": "Protocol-HTTP2" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-10725", "cwe": { "id": "CWE-409", "name": "Improper Handling of Highly Compressed Data (Data Amplification)" }, "notes": [ { "category": "description", "text": "Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb.\n\nProtocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the \"HTTP/2 bomb\").\n\nThe headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded.\n\nMAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] } } ] }