The vulnerability of the nghttp2_on_stream_close_callback() function in the nghttp2 library allows a attacker to cause a service failure.

🗓️ 15 May 2025 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 2 Views

The nghttp2_on_stream_close_callback flaw lets attackers exhaust resources and disrupt services.

Reporter	Title	Published	Views	Family All 90
Tenable Nessus	Amazon Linux 2023 : libnghttp2, libnghttp2-devel, nghttp2 (ALAS2023-2023-278)	14 Aug 202300:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2023-2023-290)	14 Aug 202300:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : ecs-service-connect-agent (ALAS2023-2023-300)	24 Aug 202300:00	–	nessus
Tenable Nessus	Amazon Linux 2 : nghttp2 (ALAS-2023-2180)	14 Aug 202300:00	–	nessus
Tenable Nessus	Amazon Linux 2 : ecs-service-connect-agent (ALASECS-2023-006)	6 Sep 202300:00	–	nessus
Tenable Nessus	Amazon Linux AMI : nghttp2 (ALAS-2023-1793)	14 Aug 202300:00	–	nessus
Tenable Nessus	Azure Linux 3.0 Security Update: cmake / nghttp2 / nodejs / nodejs18 (CVE-2023-35945)	20 Mar 202500:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP11 : nghttp2 (EulerOS-SA-2023-3015)	16 Jan 202400:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP11 : nghttp2 (EulerOS-SA-2023-3038)	16 Jan 202400:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP10 : nghttp2 (EulerOS-SA-2023-3189)	16 Jan 202400:00	–	nessus

Source	Link
github	www.github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
github	www.github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c
github	www.github.com/nghttp2/nghttp2/pull/1930
altsp	www.altsp.su/obnovleniya-bezopasnosti/
cve	www.cve.omp.ru/bb27514
web	www.web.nvd.nist.gov/view/vuln/detail

05 Sep 2025 00:00Current

7.2High risk

Vulners AI Score7.2

CVSS 37.5

CVSS 27.8

EPSS0.01106

nghttp2 library stream close callback remote attackers resource exhaustion service disruption