AIKIDO-2025-10432
github.com/cloudwego/hertz is vulnerable to Denial of service (DoS)
40
Medium Risk
This Affects:
github.com/cloudwego/hertzTL;DR
Affected versions of this package are vulnerable to HTTP connections deadlock, leading to resource exhaustion, where the server fails to handle connection state transitions during ambiguous client interactions. It manifests in two exploitable scenarios: (1) when clients connect without sending data and disconnect prematurely, causing the server to maintain idle connections until timeout; and (2) when clients send TLS ClientHello messages to HTTP ports, creating a mutual deadlock, the server waits indefinitely for HTTP request lines while the client waits for TLS negotiation. Attackers exploit both scenarios by flooding servers with either rapid-fire empty connections or deliberate HTTPS-to-HTTP port mismatches, consuming connection slots and worker resources to induce denial-of-service with minimal traffic.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/cloudwego/hertz is vulnerable to Denial of service (DoS) in versions 0.8.0 - 0.10.0.
How to fix this
Upgrade the github.com/cloudwego/hertz library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant