What is CVE-2024-2653?

CVE-2024-2653 is a vulnerability in Amphp Amphp/http, classified under CWE-789: MEMORY ALLOCATION WITH EXCESSIVE SIZE VALUE. Published 2024-04-03.

Is CVE-2024-2653 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Amphp Amphp/http

CVE-2024-2653

amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an OOM crash.

EPSS: 0.832 (99.6th percentile) — read the EPSS interpretation.

Affected products

Amphp Amphp/http — versions 2.0.0-beta.1, v1.6.0-rc1
Amphp Amphp/http-client — versions v4.0.0-rc10

Public proof-of-concept exploits

Ampferl/poc_
DrewskyDev/H2Flood
Vos68/HTTP2-Continuation-Flood-PoC
lockness-Ko/CVE-2024-27316

References

github.com/amphp/http/security/advisories/GHSA-qjfw-cvjf-f4fm
github.com/amphp/http-client/security/advisories/GHSA-w8gf-g2vq-j2f4
www.openwall.com/lists/oss-security/2024/04/03/16

Frequently asked questions

What is CVE-2024-2653?: CVE-2024-2653 is a vulnerability in Amphp Amphp/http, classified under CWE-789: MEMORY ALLOCATION WITH EXCESSIVE SIZE VALUE. Published 2024-04-03.
Is CVE-2024-2653 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.