h2 is vulnerable to Denial of Service (DoS)
59
Medium Risk
The HPACK header decoder inserts every decoded header field into an http::HeaderMap using append(). HeaderMap panics with a size-overflow expectation once its internal capacity is exceeded (around 24,576 unique entries), which is far below the default max_header_list_size budget. A peer that sends a single request or response carrying an absurd number of unique header fields triggers that panic, crashing the connection task and terminating service. The fix switches to try_append() so oversize header lists are rejected at the stream level with a reset instead of aborting.
You are affected if you are using a version that falls within the vulnerable range and your application uses h2 to accept HTTP/2 traffic from untrusted peers without a small max_header_list_size (for example h2 used directly rather than through hyper, whose 16 KB default blocks the trigger).
h2 is vulnerable to Denial of Service (DoS) in versions 0.1.0 - 0.4.14.
Upgrade the h2 library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant