GHSA-8grv-jq2g-cfhw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8grv-jq2g-cfhw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-8grv-jq2g-cfhw/GHSA-8grv-jq2g-cfhw.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-8grv-jq2g-cfhw
- Published
- 2026-02-10T00:25:41Z
- Modified
- 2026-02-10T00:55:07.947890Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- amphp/http-server affected by HTTP/2 DDoS vulnerability
- Details
-
Versions of
amphp/http-serverprior to3.4.4for the 3.x release branch and prior to2.1.10for the 2.x release branch are vulnerable to the HTTP/2 "MadeYouReset" DoS attack described by CVE-2025-8671 and https://kb.cert.org/vuls/id/767506.In versions
3.4.4and2.1.10, stream reset protection has been refactored to account for the number of reset streams within a sliding time window.Note that your application must expose HTTP/2 connections directly to be affected by this vulnerability. Servers behind a proxy using HTTP/1.x such as nginx are not affected.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-400" ], "github_reviewed_at": "2026-02-10T00:25:41Z", "nvd_published_at": null, "severity": "MODERATE" }- References
Affected packages
Packagist / amphp/http-server
Package
- Name
- amphp/http-server
- Purl
- pkg:composer/amphp/http-server
Packagist / amphp/http-server
Package
- Name
- amphp/http-server
- Purl
- pkg:composer/amphp/http-server