CVE-2026-54399
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk33th percentile — higher than 33% of all known CVEs
Summary
An uncontrolled resource consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (versions 5.4.2 and earlier, 5.5-beta1 and earlier) allows a remote attacker to cause a denial of service through memory exhaustion by sending messages with an excessive number of headers or excessive header length.
Risk Assessment
The organization is at risk of DoS attacks that could lead to unavailability of services based on Apache HttpComponents Core, potentially disrupting application operations and affecting business continuity.
Recommendation
Immediately upgrade Apache HttpComponents Core to version 5.4.3 or later (post 5.5-beta1). If an upgrade is not possible, restrict access to services using this library and implement mechanisms to limit the number and length of HTTP headers.
Original NVD description (English source)
Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers / excessive header length

