PHP PSL HTTP/2 DATA Frame Content-Length Validation Bypass (GHSA-pw9p-7mm-f7rm)

Vulnerability Overview This vulnerability is a server-side HTTP/2 flaw in the project, specifically within the component. The vulnerability identifier is GHSA-pw9p-7mm-f7rm. Scope of Impact Affected Component: Vulnerability Description: The total number of received bytes in the HTTP/2 DATA frame is not verified against the header declared in the initial HEADERS frame, violating RFC 9113 §8.1.1 and §8.1.2.6. Potential Risks: - A malicious client can send more DATA bytes than declared, thereby bypassing application-layer size limits. - A malicious client can send fewer DATA bytes than declared and close the stream prematurely, causing applications that trust the declared length to behave anomalously. Affected Users: Users directly using to accept traffic from untrusted clients. Users of the documented high-level PSL APIs are not affected. Remediation Patch Content: - Parse and validate the received in server-side HEADERS (RFC 9110 §8.6: must be a non-negative decimal integer). - Track the cumulative DATA frame payload length for each stream. - Throw a in case of a mismatch or overflow. Client Validation: Client-side validation is intentionally not performed because RFC 9110 §9.3.2 allows a HEAD response to declare a without sending DATA. Additional Fixes now flushes pending buffered writes before blocking. Otherwise, frames written within the block will never reach the peer, and the peer sending only will deadlock after observing the DATA. Upgrade Instructions Credits Discovered via internal review before public exploitation.

Goal Reached Thanks to every supporter — we hit 100%!

PHP PSL HTTP/2 DATA Frame Content-Length Validation Bypass (GHSA-pw9p-7mm-f7rm)

More from this source