CVE-2026-10725

Published: Giu 06, 2026 Last Modified: Giu 06, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb.

Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the 'HTTP/2 bomb').

The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded.

MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.

409

Improper Handling of Highly Compressed Data (Data Amplification)

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Availability
Potential Impacts:
Dos: Amplification Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory)
Applicable Platforms
All platforms may be affected
View CWE Details
https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/sourc…
https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/source/lib/Protocol/HTTP2…
https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/sourc…
https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/source/lib/Protocol/HTTP2…
https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12…
https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/CVE-2026-10725-r1.p…