HIGH 7.5

CVE-2026-10725: Protocol::HTTP2 HTTP/2 Bomb Memory Exhaustion Vulnerability

Protocol::HTTP2, a Perl library for handling HTTP/2 communication, contains a vulnerability that allows an attacker to consume excessive server memory by sending a specially crafted HTTP/2 request with many headers. The library fails to enforce advertised limits on header sizes, permitting small network payloads to expand dramatically once processed, disrupting server availability. This affects versions before 1.13.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-409
Affected products
1 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb"). The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded. MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

Protocol::HTTP2 versions prior to 1.13 lack proper validation of cumulative header list size during HPACK decoding. The headers_decode method creates full copies of key-value pairs for each indexed header reference without tracking aggregate size. Additionally, since version 1.12, the stream_header_block_add method appends CONTINUATION frames to per-stream buffers without bounds checking. While the library advertises MAX_HEADER_LIST_SIZE (65536 bytes by default) in HTTP/2 SETTINGS frames, this limit is never enforced during the decode phase, enabling an HTTP/2 bomb attack where compressed headers decompress to vastly larger structures in server memory.

Business impact

Organizations deploying Protocol::HTTP2 face denial-of-service risk. A remote unauthenticated attacker can trigger memory exhaustion on affected servers by sending HTTP/2 requests with inflated header blocks, causing service degradation or crashes without requiring authentication or user interaction. This directly impacts availability SLAs for any web service or API gateway relying on this library.

Affected systems

Protocol::HTTP2 for Perl before version 1.13 is vulnerable. Any application or service using this library to handle inbound HTTP/2 connections—including web servers, API gateways, microservices, and proxies—is at risk if they have not updated to 1.13 or later. Verify your Perl module versions and dependency manifests to identify exposure.

Exploitability

Exploitability is straightforward. The vulnerability requires only network access and no authentication; an attacker can craft and send a malicious HTTP/2 request over the network to trigger memory exhaustion. The attack is reliable and does not depend on user interaction. However, this is a denial-of-service attack, not a code execution or data breach vector. Complexity is low due to the simplicity of HTTP/2 protocol manipulation tools.

Remediation

Upgrade Protocol::HTTP2 to version 1.13 or later. This version introduces proper header-list size enforcement during HPACK decoding and correctly applies the MAX_HEADER_LIST_SIZE limit advertised in SETTINGS frames. Test the update in a non-production environment before full deployment to ensure compatibility with dependent applications.

Patch guidance

Update the Protocol::HTTP2 Perl module to version 1.13 or newer using your package manager (e.g., cpan, cpanm, or your distribution's module system). Verify the upgrade via `perl -MProtocol::HTTP2 -e 'print $Protocol::HTTP2::VERSION'` and confirm it returns 1.13 or higher. Restart all services that depend on this library after patching.

Detection guidance

Monitor server memory usage for unexplained spikes correlated with HTTP/2 traffic. Enable HTTP/2 frame logging if available to identify requests with unusually large or numerous CONTINUATION frames. Look for HPACK decoder errors or per-stream buffer warnings in application logs. Network-level detection of HTTP/2 frames with compressed header blocks significantly larger than typical requests may indicate attack attempts. Consider implementing rate limiting or connection limits on HTTP/2 streams as a temporary mitigation.

Why prioritize this

This vulnerability earns a HIGH severity rating due to its high attack surface (network-facing, no authentication required), ease of exploitation, and direct impact on service availability. While it does not enable code execution or data theft, the simplicity of triggering denial-of-service on unpatched systems makes it a credible immediate threat. Organizations should treat this as a priority patch, especially for public-facing or customer-critical services.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects an unauthenticated, low-complexity network attack vector with no user interaction required, resulting in a high impact to availability. The confidentiality and integrity scores are zero because this is a denial-of-service vector only. The unchanged scope and broad attack surface justify the elevated score. No privilege escalation or data exfiltration is possible via this flaw.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. Protocol::HTTP2 CVE-2026-10725 is limited to denial-of-service via memory exhaustion. It does not permit arbitrary code execution, privilege escalation, or data theft. The impact is strictly on service availability.

Do I need to restart services after upgrading to Protocol::HTTP2 1.13?

Yes. Once you upgrade the module, restart all applications and services that depend on Protocol::HTTP2 to ensure they load the patched version. Reloading alone may not be sufficient; a full process restart is recommended.

Can I work around this vulnerability without patching?

Temporary mitigations include implementing strict per-connection or per-stream memory limits at the application or reverse proxy level, rate-limiting HTTP/2 connections, and reducing the negotiated MAX_HEADER_LIST_SIZE. However, these are stopgap measures. Patching to version 1.13 is the definitive fix.

How do I know if my application uses Protocol::HTTP2?

Check your Perl application's dependency manifest (e.g., Makefile.PL, cpanfile, or META.json) for Protocol::HTTP2. If it is listed as a direct or transitive dependency, your application is potentially affected. Run `cpan -l` or `perldoc perllocal` to list installed modules and their versions on your system.

This analysis is provided for informational purposes to support security decision-making. SEC.co makes no warranty regarding the completeness or accuracy of derived interpretations. Verify all technical details, patch availability, and affected versions against official vendor advisories and your own deployment documentation. Test patches in non-production environments before production deployment. Security decisions should incorporate your organization's risk tolerance, threat model, and operational constraints. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).