Nghttp2 Security Vulnerabilities and Issues — Nghttp2 CVE List

Lucene search

Nghttp2Nghttp2

4 matches found

CVE•added 2023/10/10 2:15 p.m.•4613 views

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

7.5CVSS8AI score0.94414EPSS

In wildWeb

CVE•added 2020/06/03 11:15 p.m.•668 views

CVE-2020-11080

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes th...

7.5CVSS6.5AI score0.00566EPSS

CVE•added 2023/07/13 9:15 p.m.•198 views

CVE-2023-35945

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving RST_STREAM immediately followed by the GOAWAY frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the GOAWAY...

7.5CVSS7.4AI score0.00125EPSS

CVE•added 2018/05/08 3:29 p.m.•166 views

CVE-2018-1000168

nghttp2 version >= 1.10.0 and nghttp2 = 1.31.1.

7.5CVSS6.4AI score0.04077EPSS