BIT-TOMCAT-2026-41293 Apache Tomcat: HTTP/2 request headers not validated

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0 through 11.0.21, from 10.1.0 through 10.1.54, from 9.0.0 through 9.0.117, from 10.0.0 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to...

openSUSE 16 Security Update : nodejs22 (openSUSE-SU-2026:20236-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20236-1 advisory. Update to 22.22.0: - CVE-2025-55130: file system permissions bypass via crafted symlinks bsc1256569. - CVE-2025-55131: timeout-based race...

SUSE-SU-2026:20486-1 Security update for google-osconfig-agent

This update for google-osconfig-agent fixes the following issues: - CVE-2023-45288: golang.org/x/net/http2: close connections when receiving too many headers bsc1236533...

SUSE-SU-2026:20483-1 Security update for google-guest-agent

This update for google-guest-agent fixes the following issues: - CVE-2023-45288: golang.org/x/net/http2: close connections when receiving too many headers bsc1236533...

nodejs: Nodejs denial of service

A denial of service flaw has been discovered in NodeJS. A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of...

nodejs: Nodejs denial of service

A denial of service flaw has been discovered in NodeJS. A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of...

AZL-75077 CVE-2025-59465 affecting package nodejs for versions less than 20.14.0-13

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not...

CVE-2025-59465

CVE-2025-59465 is observed affecting Node.js packages across multiple Amazon Linux and Fedora advisories. The issue concerns Node.js HTTP/2 server handling of malformed HEADERS frames with oversized HPACK data, leading to a crash via an unhandled TLSSocket error (ECONNRESET) and remote DoS. Affec...

CVE-2025-59465

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not...

Linux Distros Unpatched Vulnerability : CVE-2023-1428

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - There exists an vulnerability causing an abort to be called in gRPC. The following headers cause gRPC's C++ implementation to abort when called via http2: te: x...

SUSE CVE-2023-1428

There exists an vulnerability causing an abort to be called in gRPC. The following headers cause gRPC's C++ implementation to abort when called via http2: te: x x != trailers :scheme: x x != http, https grpclbclientstats: x x == anything On top of sending one of those headers, a later header must...

Medium: nerdctl

Issue Overview: A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of da...

Medium: golist

Issue Overview: A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of da...

AZL-39463 CVE-2023-45288 affecting package skopeo for versions less than 1.14.2-3

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-40012 CVE-2024-27316 affecting package httpd for versions less than 2.4.59-1

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion...

AZL-40001 CVE-2024-27316 affecting package httpd for versions less than 2.4.61-1

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion...

DEBIAN-CVE-2020-9494

Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread...

USN-4212-1 haproxy vulnerability

Tim Düsterhus discovered that HAProxy incorrectly handled certain HTTP/2 headers. An attacker could possibly use this issue to execute arbitrary code through CRLF injection...

Apache2 mod_http2 header Denial of Service Vulnerability

This vulnerability allows remote attackers to create a denial of service condition on vulnerable installations of Apache HTTPD server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HTTP2 headers. A crafted HTTP2 request can trigger a...