Qinyushun

**Name of the Vulnerable Software and Affected Versions** hyper version 0.13.7 h2 version 0.2.4 **Description** An issue in the H2 component of hyper occurs when processing HTTP2 RST STREAM frames, leading to stream stacking and high memory and CPU usage, which can result in a Denial of Service (DoS). This issue affects users when dealing with HTTP2 connections. If an attacker floods the network with pairs of `HEADERS`/`RST STREAM` frames, the pending accept queue can grow in memory usage, resulting in excessive memory use and potentially triggering Out Of Memory. **Recommendations** For hyper version 0.13.7, consider updating to a version that includes the fix for the issue, which restricts remote reset stream count by default. For h2 version 0.2.4, consider updating to a version that includes the fix for the issue, which restricts remote reset stream count by default. As a temporary workaround, consider restricting the number of remote reset streams to prevent excessive memory use.

**Name of the Vulnerable Software and Affected Versions** Hyper versions prior to 0.14.19 **Description** The issue is related to the HTTP library for Rust Hyper, which is associated with unbounded resource allocation. This can be exploited by a remote attacker to cause a denial of service. The vulnerability is also related to the lack of customization for the `max header list size` method in the H2 third-party software, allowing attackers to perform HTTP2 attacks. **Recommendations** For versions prior to 0.14.19, update to version 0.14.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the H2 third-party software to minimize the risk of exploitation. Avoid using the `max header list size` method in affected API endpoints until the issue is resolved.