Medium severityOSV Advisory· Published Aug 25, 2025· Updated Apr 15, 2026
CVE-2025-57804
CVE-2025-57804
Description
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
h2PyPI | < 4.3.0 | 4.3.0 |
Affected products
25- Range: v1.0.0, v1.1.0, v1.1.1, …
- osv-coords24 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/airflow-2-bitnami-compatpkg:apk/chainguard/airflow-2-compatpkg:apk/chainguard/airflow-2-iamguarded-compatpkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-3-bitnami-compatpkg:apk/chainguard/airflow-3-compatpkg:apk/chainguard/airflow-3-iamguarded-compatpkg:apk/chainguard/localstackpkg:apk/chainguard/localstack-compatpkg:apk/wolfi/airflow-3pkg:apk/wolfi/airflow-3-bitnami-compatpkg:apk/wolfi/airflow-3-compatpkg:apk/wolfi/airflow-3-iamguarded-compatpkg:pypi/h2pkg:rpm/opensuse/python-h2&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-h2&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-h2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-h2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6pkg:rpm/suse/python-h2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python-h2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6pkg:rpm/suse/python-h2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP7pkg:rpm/suse/python-h2&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-h2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2.11.0-r12+ 23 more
- (no CPE)range: < 2.11.0-r12
- (no CPE)range: < 2.11.0-r12
- (no CPE)range: < 2.11.0-r12
- (no CPE)range: < 2.11.0-r12
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 4.7.0-r5
- (no CPE)range: < 4.7.0-r5
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 4.3.0
- (no CPE)range: < 4.1.0-150400.8.6.1
- (no CPE)range: < 4.2.0-160000.3.1
- (no CPE)range: < 4.3.0-1.1
- (no CPE)range: < 4.1.0-150400.8.6.1
- (no CPE)range: < 4.1.0-150400.8.6.1
- (no CPE)range: < 3.2.0-150200.3.5.1
- (no CPE)range: < 3.2.0-150200.3.5.1
- (no CPE)range: < 4.2.0-160000.3.1
- (no CPE)range: < 4.2.0-160000.3.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-847f-9342-265hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-57804ghsaADVISORY
- github.com/python-hyper/h2/commit/035e9899f95e3709af098f578bfc3cd302298e3anvdWEB
- github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265hnvdWEB
- lists.debian.org/debian-lts-announce/2025/09/msg00004.htmlnvdWEB
News mentions
0No linked articles in our index yet.