Facebook Proxygen
9 CVEs affecting Facebook Proxygen. Latest disclosed: 2025-12-02. Critical: 3, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2020-1897 | Critical | 9.8 | 2020-05-18 | A use-after-free is possible due to an error in lifetime management in the request adaptor when a malicious client invokes request error handling in a specific… |
CVE-2019-11940 | Critical | 9.8 | 2019-12-04 | In the course of decompressing HPACK inside the HTTP2 protocol, an unexpected sequence of header table resize operations can place the header table into a corr… |
CVE-2019-11921 | Critical | 9.8 | 2019-07-25 | An out of bounds write is possible via a specially crafted packet in certain configurations of Proxygen due to improper handling of Base64 when parsing malform… |
CVE-2023-44487 | High | 7.5 | 2023-10-10 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the w… |
CVE-2021-24029 | High | 7.5 | 2021-03-15 | A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a failed assertion. Per QUIC sp… |
CVE-2018-6347 | High | 7.5 | 2018-12-31 | An issue in the Proxygen handling of HTTP2 parsing of headers/trailers can lead to a denial-of-service attack. This affects Proxygen prior to v2018.12.31.00. |
CVE-2018-6346 | High | 7.5 | 2018-12-31 | A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 priority settings (specifically a circular dependency). This affects Proxygen pri… |
CVE-2018-6343 | High | 7.5 | 2018-12-31 | Proxygen fails to validate that a secondary auth manager is set before dereferencing it. That can cause a denial of service issue when parsing a Certificate/Ce… |
CVE-2025-55181 | Medium | 5.3 | 2025-12-02 | Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing ev… |