CVE-2024-23837
LibHTP unbounded folded header handling leads to denial service
In short
LibHTP, an HTTP parser library, can be overwhelmed by specially crafted HTTP headers that fold (wrap) in unusual ways, causing it to spend excessive time processing them and making the service unavailable to legitimate users.
Technical detail
LibHTP contains an unbounded processing vulnerability in folded header handling (CWE-770) where maliciously crafted HTTP headers with excessive folding can trigger algorithmic complexity attacks. The vulnerability allows remote attackers to cause denial of service through network-based HTTP traffic without authentication, fixed in version 0.5.46.
Summary generated and translated by AI from the official description.
LibHTP is a security-aware parser for the HTTP protocol. Crafted traffic can cause excessive processing time of HTTP headers, leading to denial of service. This issue is addressed in 0.5.46.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
OISF · libhtpWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/OISF/libhtp/commit/20ac301d801cdf01b3f021cca08a22a87f477c4ahttps://github.com/OISF/libhtp/security/advisories/GHSA-f9wf-rrjj-qx8mhttps://lists.debian.org/debian-lts-announce/2025/09/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GOCOBFUTIFHOP2PZOH4ENRFXRBHIRKK4/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZXJIT7R53ZXROO3I256RFUWTIW4ECK6P/https://redmine.openinfosecfoundation.org/issues/6444