High severity8.2NVD Advisory· Published Apr 3, 2024· Updated Apr 15, 2026
CVE-2024-2653
CVE-2024-2653
Description
amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an OOM crash.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
amphp/httpPackagist | >= 2.0.0, < 2.1.1 | 2.1.1 |
amphp/httpPackagist | < 1.7.3 | 1.7.3 |
amphp/http-clientPackagist | >= 4.0.0-rc10, <= 4.0.0 | — |
Affected products
1Patches
23a33e68a3b53Merge pull request from GHSA-qjfw-cvjf-f4fm
1 file changed · +9 −0
src/Http2/Http2Parser.php+9 −0 modified@@ -407,6 +407,15 @@ private function pushHeaderBlockFragment(int $streamId, string $buffer): void $this->headerStream = $streamId; $this->headerBuffer .= $buffer; + + $headersTooLarge = \strlen($this->headerBuffer) > $this->headerSizeLimit; + + if ($headersTooLarge) { + throw new Http2ConnectionException( + "Headers exceed the maximum configured size of {$this->headerSizeLimit} bytes", + self::COMPRESSION_ERROR + ); + } } /** @see https://http2.github.io/http2-spec/#HEADERS */
881cc33da236Merge pull request from GHSA-qjfw-cvjf-f4fm
1 file changed · +9 −0
src/Http2/Http2Parser.php+9 −0 modified@@ -378,6 +378,15 @@ private function pushHeaderBlockFragment(int $streamId, string $buffer): void $this->headerStream = $streamId; $this->headerBuffer[] = $buffer; $this->headerLength += \strlen($buffer); + + $headersTooLarge = $this->headerLength > $this->headerSizeLimit; + + if ($headersTooLarge) { + throw new Http2ConnectionException( + "Headers exceed the maximum configured size of {$this->headerSizeLimit} bytes", + self::COMPRESSION_ERROR + ); + } } /** @see https://http2.github.io/http2-spec/#HEADERS */
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-qjfw-cvjf-f4fmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-2653ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/04/03/16nvdWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/amphp/http-client/CVE-2024-2653.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/amphp/http/CVE-2024-2653.yamlghsaWEB
- github.com/amphp/http-client/security/advisories/GHSA-w8gf-g2vq-j2f4nvdWEB
- github.com/amphp/http/commit/3a33e68a3b53f7279217238e89748cf0cb30b8a6ghsaWEB
- github.com/amphp/http/commit/881cc33da236fbcd0cb0cf6c2bfc7efcf80ede76ghsaWEB
- github.com/amphp/http/security/advisories/GHSA-qjfw-cvjf-f4fmnvdWEB
- www.kb.cert.org/vuls/id/421644nvdWEB
News mentions
0No linked articles in our index yet.