CVE-2026-48979
Received Received - Intake
HTTP/2 Request Smuggling in PHP Standard Library

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
PHP Standard Library (PSL) is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\H2\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, allowing request smuggling. This is in violation of RFC 9113 Β§8.1.1. A malicious client is able to send more DATA bytes than declared, smuggling additional content past application-level size limits and send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly. The vulnerability is only reachable for consumers using Psl\H2\ServerConnection directly to accept untrusted client traffic. Consumers of documented high-level PSL APIs are not affected. This issue has been fixed in versions 6.1.2 and 6.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-48979
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
php_standard_library psl 6.1.0
php_standard_library psl 6.1.1
php_standard_library psl 6.2.0
php_standard_library psl to 6.1.2 (inc)
php_standard_library psl to 6.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the PHP Standard Library (PSL) versions 6.1.0, 6.1.1, and 6.2.0 within the Psl\H2\ServerConnection component. It fails to validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, which violates RFC 9113 Β§8.1.1.

This flaw allows a malicious client to perform request smuggling by sending more DATA bytes than declared, bypassing application-level size limits, or by sending fewer DATA bytes than declared and closing the stream early, causing applications that rely on the declared length to behave incorrectly.

The vulnerability only affects consumers who use Psl\H2\ServerConnection directly to accept untrusted client traffic. Consumers using higher-level documented PSL APIs are not affected. The issue has been fixed in versions 6.1.2 and 6.2.1.

Impact Analysis

This vulnerability can impact you by allowing a malicious client to smuggle additional content past application-level size limits or prematurely close streams, which can cause your application to behave incorrectly.

Such behavior can lead to security issues like bypassing input validation, triggering unexpected application logic, or potentially enabling further attacks that rely on manipulating request boundaries.

Mitigation Strategies

To mitigate this vulnerability, upgrade the PHP Standard Library (PSL) to version 6.1.2 or 6.2.1 or later, where the issue has been fixed.

Additionally, avoid using Psl\H2\ServerConnection directly to accept untrusted client traffic, as the vulnerability only affects consumers using this API directly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48979. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart