AIKIDO-2026-10423
nghttp2.nghttp2 is vulnerable to Denial of Service (DoS)
75
High Risk
This Affects:
nghttp2.nghttp2TL;DR
Affected versions of this package may fail with an assertion and crash when processing HTTP/2 traffic if session termination is triggered but the library continues reading subsequent malformed frames due to missing internal state validation. An attacker able to send specially crafted frames could exploit this by first inducing a connection-termination path through enabled extension handling such as ALTSVC, PRIORITY_UPDATE, or user-defined extension frames, then immediately sending a malformed frame that triggers FRAME_SIZE_ERROR, resulting in a denial of service through process termination.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
nghttp2.nghttp2 is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 1.68.0.
How to fix this
Upgrade the nghttp2.nghttp2 library to the patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant