CVE Catalog

CVE-2026-10725

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.05%

17th percentile - higher than 17% of all known CVEs

Summary

Protocol::HTTP2 versions before 1.13 for Perl are vulnerable to an HTTP/2 Bomb attack, which can lead to excessive server memory consumption. The lack of header-list size limit in the headers_decode method allows for uncontrolled memory expansion.

Risk Assessment

An attacker could exploit this vulnerability to exhaust server resources, leading to service degradation or complete outage. Organizations should be aware of the risks associated with excessive memory consumption.

Recommendation

It is recommended to upgrade to Protocol::HTTP2 version 1.13 or later to mitigate this vulnerability. Additionally, implementing monitoring and limits on header sizes in applications using HTTP/2 is advisable.

Original NVD description (English source)

Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb"). The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded. MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS