CVE-2024-2653

HIGH

amphttp <unknown> - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-2653. PoCs published by lockness-Ko.

AI-analyzed exploit summary This repository contains a functional Go-based proof-of-concept exploit for CVE-2024-27316, targeting HTTP/2 servers with a denial-of-service (DoS) attack via malformed headers. The exploit leverages HPACK encoding to generate large headers, overwhelming the target server.

Description

amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an OOM crash.

Exploits (1)

github WORKING POC 15 stars
by lockness-Ko · gopoc
https://github.com/lockness-Ko/CVE-2024-27316

This repository contains a functional Go-based proof-of-concept exploit for CVE-2024-27316, targeting HTTP/2 servers with a denial-of-service (DoS) attack via malformed headers. The exploit leverages HPACK encoding to generate large headers, overwhelming the target server.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: HTTP/2 servers (unencrypted or TLS)
No auth needed
Prerequisites: Network access to target HTTP/2 server · Go 1.22.1 or compatible
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.2
EPSS 0.0507
EPSS Percentile 90.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

Status published
Products (5)
AMPHP/amphp/http 2.0.0-beta.1 - 2.1.0
AMPHP/amphp/http v1.6.0-rc1 - 1.7.2
AMPHP/amphp/http-client v4.0.0-rc10 - 4.0.0
amphp/http 2.0.0 - 2.1.1Packagist
amphp/http-client 4.0.0-rc10Packagist
Published Apr 03, 2024
Tracked Since Feb 18, 2026