CVE-2016-6581

Name of the Vulnerable Software and Affected Versions Python HPACK library versions 1.0.0 through 2.2.0

Description A denial of service attack, known as an "HPACK Bomb" attack, can be launched against the HTTP/2 implementation built using the Python HPACK library. This occurs when an attacker inserts a header field of a specific size into the dynamic header table, then sends repeated requests to expand this field, resulting in a high compression ratio. For example, 16kB of data can decompress to 64MB of data on the target machine.

Recommendations For versions 1.0.0 through 2.2.0, consider disabling the HTTP/2 implementation until a patch is available to prevent the "HPACK Bomb" attack. Restrict access to the dynamic header table to minimize the risk of exploitation. Avoid using the Python HPACK library for HTTP/2 implementations until the issue is resolved.