CVE-2026-48979
Awaiting Analysis Awaiting Analysis - Queue

HTTP/2 Request Smuggling in PHP Standard Library

Vulnerability report for CVE-2026-48979, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

PHP Standard Library (PSL) is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\H2\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, allowing request smuggling. This is in violation of RFC 9113 Β§8.1.1. A malicious client is able to send more DATA bytes than declared, smuggling additional content past application-level size limits and send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly. The vulnerability is only reachable for consumers using Psl\H2\ServerConnection directly to accept untrusted client traffic. Consumers of documented high-level PSL APIs are not affected. This issue has been fixed in versions 6.1.2 and 6.2.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-23
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-06
NVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
php_standard_library psl 6.1.0
php_standard_library psl 6.1.1
php_standard_library psl 6.2.0
php_standard_library psl to 6.1.2 (inc)
php_standard_library psl to 6.2.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the PHP Standard Library (PSL) versions 6.1.0, 6.1.1, and 6.2.0 within the Psl\H2\ServerConnection component. It fails to validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, which violates RFC 9113 Β§8.1.1.

This flaw allows a malicious client to perform request smuggling by sending more DATA bytes than declared, bypassing application-level size limits, or by sending fewer DATA bytes than declared and closing the stream early, causing applications that rely on the declared length to behave incorrectly.

The vulnerability only affects consumers who use Psl\H2\ServerConnection directly to accept untrusted client traffic. Consumers using higher-level documented PSL APIs are not affected. The issue has been fixed in versions 6.1.2 and 6.2.1.

Impact Analysis

This vulnerability can impact you by allowing a malicious client to smuggle additional content past application-level size limits or prematurely close streams, which can cause your application to behave incorrectly.

Such behavior can lead to security issues like bypassing input validation, triggering unexpected application logic, or potentially enabling further attacks that rely on manipulating request boundaries.

Mitigation Strategies

To mitigate this vulnerability, upgrade the PHP Standard Library (PSL) to version 6.1.2 or 6.2.1 or later, where the issue has been fixed.

Additionally, avoid using Psl\H2\ServerConnection directly to accept untrusted client traffic, as the vulnerability only affects consumers using this API directly.

Compliance Impact

The vulnerability involves the Psl\H2\ServerConnection not validating that the total bytes received in DATA frames match the content-length header, allowing request smuggling. This can cause applications to behave incorrectly by processing more or fewer bytes than declared.

While this behavior violates RFC 9113 Β§8.1.1, there is no direct information provided about its impact on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48979. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart