GO-2026-4684 Traefik: HTTP/2 frames can cause a running server to panic in github.com/traefik/traefik

Traefik: HTTP/2 frames can cause a running server to panic in github.com/traefik/traefik...

CVE-2025-61752

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware component: Core. Supported versions that are affected are 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle WebLogic Server...

SUSE SLES15 / openSUSE 15 Security Update : tomcat10 (SUSE-SU-2025:02978-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02978-1 advisory. Updated to Tomcat 10.1.43i: - CVE-2025-52520: Fixed integer overflow can lead to DoS for some unlikely configuration...

jetty: stop accepting new connections from valid clients

A flaw was found in Jetty, a Java based web server and servlet engine. If an HTTP/2 connection gets TCP congested, it remains open and idle, and connections may be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file...

golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS

A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service DoS attack...

Mozilla: Denial of Service using HTTP/2 CONTINUATION frames

The Mozilla Foundation Security Advisory describes this flaw as: There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser...

The vulnerability of the Envoy proxy server, related to errors in processing mixed-case schemes in HTTP/2, allows attackers to gain access to protected data.

The vulnerability of the Envoy proxy server is related to errors in the processing of mixed-case schemes in HTTP/2. Exploiting this vulnerability can allow a remote attacker to gain access to protected data...

http2-server: Invalid HTTP/2 requests cause DoS

A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests...

AZL-7384 CVE-2020-17527 affecting package tomcat 9.0.39-6

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this...

USN-4321-1 haproxy vulnerability

Felix Wilhelm discovered that HAProxy incorrectly handled certain HTTP/2 requests. An attacker could possibly use this to execute arbitrary code...

HTTP/2: flood using empty frames results in excessive resource consumption

A flaw was found in HTTP/2. Using frames with an empty payload, a flood could occur that results in excessive CPU usage and starvation of other clients. The highest threat from this vulnerability is to system availability...