CVE-2026-10725
HTTP/2 Bomb in Protocol::HTTP2 Perl Module
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| crux | protocol_http2 | 1.12 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Protocol::HTTP2 versions through 1.12 for Perl is a type of HTTP/2 Bomb attack. It arises because the inbound HPACK header compression path does not enforce a limit on the size of the header list. This means a small HTTP/2 request can expand into a very large amount of server memory usage.
Specifically, the headers_decode method creates a full copy of each header key and value for every indexed reference without checking the total size, and the stream_header_block_add method appends every CONTINUATION frame to the per-stream buffer without any size limit. Although the MAX_HEADER_LIST_SIZE setting (default 65536 bytes) is advertised in SETTINGS, it is never enforced during decoding, allowing unbounded memory consumption.
How can this vulnerability impact me? :
This vulnerability can lead to a memory-based denial-of-service (DoS) attack on servers using Protocol::HTTP2 versions through 1.12. An attacker can send a small HTTP/2 request that expands into a large memory allocation on the server, exhausting server resources.
The unbounded accumulation of header data and CONTINUATION frames can cause the server to consume excessive memory, potentially leading to crashes, degraded performance, or service unavailability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unbounded memory usage caused by HTTP/2 header decompression in Protocol::HTTP2 versions through 1.12. Detection involves monitoring HTTP/2 traffic for unusually large or malformed header blocks that exceed typical sizes, especially those that might trigger excessive memory allocation.
Since the vulnerability is related to the HPACK header decoding and accumulation of CONTINUATION frames without size limits, you can detect suspicious activity by inspecting HTTP/2 headers and frame sizes.
- Use network traffic analysis tools (e.g., Wireshark or tcpdump) to capture HTTP/2 traffic and filter for large or excessive CONTINUATION frames.
- Check server logs or application logs for errors or warnings related to HTTP/2 header processing or memory exhaustion.
- If you have access to the Perl environment running Protocol::HTTP2, enable debugging or tracing features in the module to log header sizes and frame processing.
Specific commands depend on your environment, but example commands include:
- tcpdump -i <interface> -w capture.pcap 'tcp port 443' # Capture HTTPS traffic for later HTTP/2 analysis
- wireshark capture.pcap # Analyze HTTP/2 frames, focusing on HEADERS and CONTINUATION frames size
- grep or tail server logs for HTTP/2 header errors or memory warnings
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves enforcing limits on HTTP/2 header list sizes and controlling the accumulation of CONTINUATION frames to prevent unbounded memory usage.
The security patch for CVE-2026-10725 addresses this by:
- Enforcing the MAX_HEADER_LIST_SIZE setting during header decoding to reject header blocks that exceed the allowed size.
- Limiting the size of accumulated HEADERS and CONTINUATION frames per stream to prevent memory exhaustion from frame floods.
Therefore, you should update Protocol::HTTP2 to a patched version that includes these fixes.
If immediate update is not possible, consider implementing network-level protections such as rate limiting or filtering suspicious HTTP/2 traffic that contains excessive header sizes or many CONTINUATION frames.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Protocol::HTTP2 versions through 1.12 allows an attacker to cause a memory-based denial-of-service (DoS) via an HTTP/2 Bomb attack by exploiting the lack of enforcement of header-list size limits during HPACK decoding and unbounded accumulation of CONTINUATION frames.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, such a denial-of-service vulnerability could impact the availability and reliability of systems processing sensitive data, which is a factor in regulatory compliance.
Specifically, denial-of-service attacks can lead to service outages or degraded performance, potentially affecting the confidentiality, integrity, and availability (CIA) triad that many regulations emphasize. Organizations relying on this module might face challenges in maintaining continuous service availability required by these standards.
However, there is no direct information in the provided context or resources linking this vulnerability to specific compliance violations or data breaches under GDPR, HIPAA, or similar regulations.