CVE-2025-5991 Use after free in QHttp2ProtocolHandler

There is a "Use After Free" vulnerability in Qt's QHttp2ProtocolHandler in the QtNetwork module. This only affects HTTP/2 handling, HTTP handling is not affected by this at all. This happens due to a race condition between how QHttp2Stream uploads the body of a POST request and the simultaneous...

CVE-2025-5991 Use after free in QHttp2ProtocolHandler

There is a "Use After Free" vulnerability in Qt's QHttp2ProtocolHandler in the QtNetwork module. This only affects HTTP/2 handling, HTTP handling is not affected by this at all. This happens due to a race condition between how QHttp2Stream uploads the body of a POST request and the simultaneous...

PT-2025-25184 · Qt Company +1 · Qt +1

Name of the Vulnerable Software and Affected Versions: Qt versions 6.9.0 Description: The issue is a "Use After Free" vulnerability in Qt's QHttp2ProtocolHandler in the QtNetwork module, affecting only HTTP/2 handling. This occurs due to a race condition between uploading the body of a POST reque...

USN-7562-1 tomcat vulnerabilities

It was discovered that Tomcat did not include the secure attribute for session cookies when using the RemoteIpFilter with requests from a reverse proxy. An attacker could possibly use this issue to leak sensitive information. This issue was fixed for tomcat8 on Ubuntu 18.04 LTS and for tomcat9 on...

NewStart CGSL MAIN 7.02 : qt5-qtbase Vulnerability (NS-SA-2025-0077)

The remote NewStart CGSL host, running version MAIN 7.02, has qt5-qtbase packages installed that are affected by a vulnerability: - An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make...

PT-2025-29118

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server versions 2.4.26 through 2.4.63 Description: In specific proxy setups, an untrusted client can trigger a denial of service against Apache HTTP Server. This occurs due to an assertion within the mod proxy http2 module when...

CVE-2022-24667

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. There are a number of implementation errors in the parsing of...

CVE-2022-24666

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS fram...

CVE-2022-24668

A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error after frame parsing but before frame handlin...

CVE-2022-22946

In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates...

CVE-2021-36154

HTTP2ToRawGRPCServerCodec in gRPC Swift 1.1.1 and earlier allows remote attackers to deny service via the delivery of many small messages within a single HTTP/2 frame, leading to Uncontrolled Recursion and stack consumption...

CVE-2019-11940

In the course of decompressing HPACK inside the HTTP2 protocol, an unexpected sequence of header table resize operations can place the header table into a corrupted state, leading to a use-after-free condition and undefined behavior. This issue affects Proxygen from v0.29.0 until v2017.04.03.00...

com.atlan:package-toolkit-testing (>=5.3.1 <=6.1.2), com.buschmais.jqassistant.cli:jqassistant-commandline-neo4jv5 (>=2.6.0 <=2.8.0) +751 more potentially affected by CVE-2025-1948 via org.eclipse.jetty.http2:jetty-http2-hpack (>=12.0.0 <=12.0.16)

org.eclipse.jetty.http2:jetty-http2-hpack MAVEN version =12.0.0, =5.3.1, =2.6.0, =1.41.1, =1.1.18, =2.0.20, =3.0.0, =3.0.2, =3.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0-A1, =4.0.0-A1, =4.0.0-A1, =4.1.0, =4.2.1 and more Source cves: CVE-2025-1948 Source advisory: SNYK:JAVA-ORGECLIPSEJETTYHTTP2-10118703...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of validation on the SETTINGSMAXHEADERLISTSIZE parameter. An attacker can cause the server to allocate excessive memory resources, leading to an OutOfMemoryError or...

com.atlan:package-toolkit-testing (>=5.3.1 <=6.1.2), com.buschmais.jqassistant.cli:jqassistant-commandline-neo4jv5 (>=2.6.0 <=2.8.0) +750 more potentially affected by CVE-2025-1948 via org.eclipse.jetty.http2:jetty-http2-common (>=12.0.0 <=12.0.16)

org.eclipse.jetty.http2:jetty-http2-common MAVEN version =12.0.0, =5.3.1, =2.6.0, =1.41.1, =1.1.18, =2.0.20, =3.0.0, =3.0.2, =3.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0-A1, =4.0.0-A1, =4.0.0-A1, =4.1.0, =4.2.1 and more Source cves: CVE-2025-1948 Source advisory: OSV:GHSA-889J-63JV-QHR8...

CVE-2025-1948

The CVE-2025-1948 issue affects Eclipse Jetty 12.0.0–12.0.16 where HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE can be set to a very large value. The Jetty HTTP/2 server does not validate this setting, leading to an allocation of a ByteBuffer of the requested size and likely OutOfMemoryError or JVM crash...

tomcat: Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame

A flaw was found in Apache Tomcat. This vulnerability allows an application-level denial of service DoS, causing it to become unresponsive or slow via maliciously crafted HTTP/2 prioritization headers. It performs an incomplete cleanup of failed requests, which triggers a memory leak...

Advisory ROSA-SA-2025-2855

Software: modhttp2 1.15.7 OS: ROSA Virtualization 3.0 packageevrstring: modhttp2-1.15.7-10.rv30.3 CVE-ID: CVE-2024-38477 BDU-ID: 2024-05195 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the modproxy module of the Apache HTTP Server web server is related to an incorrect null pointer entry...

USN-7469-3 nodejs vulnerability

USN-7469-1 fixed a vulnerability in Apache Traffic Server. This update provides the corresponding updates for Node.js. Original advisory details: It was discovered that Apache Traffic Server exhibited poor server resource management in its HTTP/2 protocol. An attacker could possibly use this issu...

CVE-2025-32908

A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service DoS...