CVE-2024-2653

Name of the Vulnerable Software and Affected Versions amphp/http versions prior to the fixed version amphp/http-client versions 4.0.0-rc10 through 4.0.0

Description The issue is related to the amphp/http library and its HTTP/2 protocol implementation, specifically with uncontrolled memory allocation due to incorrect size limits when handling CONTINUATION frames. This can result in an out-of-memory (OOM) crash. The vulnerability can be exploited by a remote attacker to cause a denial of service by sending HTTP packets.

Recommendations For amphp/http versions prior to the fixed version, update to a version that includes the fix for this issue. For amphp/http-client versions 4.0.0-rc10 through 4.0.0, update to a version that includes the fix for this issue or later. As a temporary workaround, consider restricting the use of the HTTP/2 protocol or limiting the size of incoming HTTP packets to minimize the risk of exploitation.