CVE-2025-57804
BaseFortify
Publication date: 2025-08-25
Last updated on: 2025-11-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python-hyper | h2 | 4.0 |
| python-hyper | h2 | 4.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the h2 Python HTTP/2 protocol stack before version 4.3.0. It allows attackers to perform HTTP request smuggling by injecting CRLF characters into headers. When servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names and values, attackers can manipulate request boundaries and bypass security controls.
How can this vulnerability impact me? :
The vulnerability can allow attackers to smuggle HTTP requests, potentially bypassing security controls. This can lead to unauthorized access, manipulation of requests, and other security issues depending on the server's handling of HTTP requests.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the h2 library to version 4.3.0 or later, as this version contains the patch that fixes the HTTP/2 request splitting vulnerability. Until the upgrade is applied, consider monitoring and filtering HTTP/2 traffic for suspicious CRLF injection attempts, and avoid downgrading HTTP/2 requests to HTTP/1.1 without proper validation of header names and values.