Описание
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0.
EPSS
Дефекты
Связанные уязвимости
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0.
A vulnerability was found in python-hyper/h2 that contains an input validation flaw that allows carriage return and line feed (CRLF) characters to be injected into HTTP/2 header fields. When requests are downgraded from HTTP/2 to HTTP/1.1, the library fails to enforce proper header validation, which may lead to incorrect parsing of request boundaries by downstream components.
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior t ...
h2 allows HTTP Request Smuggling due to illegal characters in headers
EPSS