Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-26044

Good to know:

icon

Date: May 17, 2023

react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the RequestBodyBufferMiddleware with very large settings. This might lead to consuming large amounts of CPU time for processing requests and significantly delay or slow down the processing of legitimate user requests. This issue has been addressed in release 1.9.0. Users are advised to upgrade. Users unable to upgrade may keep the request body limited using RequestBodyBufferMiddleware with a sensible value which should mitigate the issue. An infrastructure or DevOps workaround could be to place a reverse proxy in front of the ReactPHP HTTP server to filter out any excessive HTTP request bodies.

Language: PHP

Severity Score

Related Resources (10)

https://github.com/reactphp/http/security/advisories/GHSA-95x4-j7vc-h8mf
https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv
https://github.com/reactphp/http
https://github.com/reactphp/http/commit/9681f764b80c45ebfb5fe2ea7da5bd3babfcdcfd
https://github.com/FriendsOfPHP/security-advisories/blob/master/react/http/CVE-2023-26044.yaml
https://github.com/advisories/GHSA-95x4-j7vc-h8mf
https://nvd.nist.gov/vuln/detail/CVE-2023-26044
https://github.com/php/php-src/commit/716de0cff539f46294ef70fe75d548cd66766370#diff-81d659aa9e83177ac08151f99cebf21ab331d22462c72a1039f59947e66f5a35
https://github.com/reactphp/http/releases/tag/v1.9.0
https://www.mend.io/vulnerability-database/CVE-2023-26044

Severity Score

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Insufficient Information

NVD-CWE-noinfo

Top Fix

icon

Upgrade Version

Upgrade to version v1.9.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): LOW

Do you need more information?

Contact Us