TencentOS Server 4: nodejs (TSSA-2024:0613)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0613 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

TencentOS Server 3: go-toolset:rhel8 (TSSA-2024:0176)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2024:0176 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...

CVE-2025-5991

A use-after-free vulnerability has been discovered in Qt's QHttp2ProtocolHandler function. This vulnerability only affects HTTP/2 handling and is the result of a race condition between HTTP body and error response handling. Mitigation Mitigation for this issue is either not available or the...

CVE-2025-5991

CVE-2025-5991 affects Qt 6.9.0 and is fixed in Qt 6.9.1. The vulnerability is a Use After Free in QtNetwork’s QHttp2ProtocolHandler, caused by a race between QHttp2Stream’s POST body upload and simultaneous handling of HTTP error responses. It only impacts HTTP/2 handling (not HTTP). Exploitation...

K000151779: Node.js vulnerabilities CVE-2025-23083 and CVE-2025-23085

Security Advisory Description CVE-2025-23083 With the aid of the diagnosticschannel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be...

USN-7543-1: libsoup vulnerabilities

Jan Różański discovered that libsoup incorrectly handled certain headers when sending HTTP/2 requests over TLS. An attacker could possibly use this issue to cause a denial of service. This issue only affected libsoup3 in Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04. CVE-2025-32908 Jan Różańsk...

CVE-2024-25622

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has scopes, and the inner scopes e.g., path level are expected to inherit t...

CVE-2022-24666

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS fram...

CVE-2022-40482

The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a us...

CVE-2021-32566

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1...

CVE-2020-5891

On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, undisclosed HTTP/2 requests can lead to a denial of service when sent to a virtual server configured with the Fallback Host setting and a server-side HTTP/2 profile...

CVE-2020-9481

Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack...

CVE-2020-5871

On BIG-IP 14.1.0-14.1.2.3, undisclosed requests can lead to a denial of service DoS when sent to BIG-IP HTTP/2 virtual servers. The problem can occur when ciphers, which have been blacklisted by the HTTP/2 RFC, are used on backend servers. This is a data-plane issue. There is no control-plane...

CVE-2020-9494

Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread...

CVE-2020-5875

On BIG-IP 15.0.0-15.0.1 and 14.1.0-14.1.2.3, under certain conditions, the Traffic Management Microkernel TMM may generate a core file and restart while processing SSL traffic with an HTTP/2 full proxy...

CVE-2019-6673

On versions 15.0.0-15.0.1 and 14.0.0-14.1.2, when the BIG-IP is configured in HTTP/2 Full Proxy mode, specifically crafted requests may cause a disruption of service provided by the Traffic Management Microkernel TMM...

CVE-2019-10079

Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions...

Denial Of Service (DoS)

org.eclipse.jetty.http2, jetty-http2-common is vulnerable to Denial Of Service DoS. The vulnerability is due to missing validation of the SETTINGSMAXHEADERLISTSIZE parameter in HTTP/2 settings frames. Specifically, Jetty fails to enforce reasonable limits on this value, allowing an attacker to...

Alibaba Cloud Linux 3 : 0131: grafana (ALINUX3-SA-2023:0131)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2023:0131 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2023-39325: A malicious HTTP/2 client...

Alibaba Cloud Linux 3 : 0091: git-lfs (ALINUX3-SA-2024:0091)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2024:0091 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2023-45288: An attacker may cause an...