{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-57804", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-08-20T14:30:35.009Z", "datePublished": "2025-08-25T21:04:52.642Z", "dateUpdated": "2025-11-03T18:13:44.839Z"}, "containers": {"cna": {"title": "h2 allows HTTP Request Smuggling due to illegal characters in headers", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h"}, {"name": "https://github.com/python-hyper/h2/commit/035e9899f95e3709af098f578bfc3cd302298e3a", "tags": ["x_refsource_MISC"], "url": "https://github.com/python-hyper/h2/commit/035e9899f95e3709af098f578bfc3cd302298e3a"}], "affected": [{"vendor": "python-hyper", "product": "h2", "versions": [{"version": "< 4.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-25T21:04:52.642Z"}, "descriptions": [{"lang": "en", "value": "h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0."}], "source": {"advisory": "GHSA-847f-9342-265h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-26T19:14:14.359281Z", "id": "CVE-2025-57804", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-26T19:14:49.643Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00004.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T18:13:44.839Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-57804", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-26T19:14:14.359281Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-26T19:14:23.223Z"}}], "cna": {"title": "h2 allows HTTP Request Smuggling due to illegal characters in headers", "source": {"advisory": "GHSA-847f-9342-265h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "python-hyper", "product": "h2", "versions": [{"status": "affected", "version": "< 4.3.0"}]}], "references": [{"url": "https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h", "name": "https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/python-hyper/h2/commit/035e9899f95e3709af098f578bfc3cd302298e3a", "name": "https://github.com/python-hyper/h2/commit/035e9899f95e3709af098f578bfc3cd302298e3a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-25T21:04:52.642Z"}}}, "cveMetadata": {"cveId": "CVE-2025-57804", "state": "PUBLISHED", "dateUpdated": "2025-08-26T19:14:49.643Z", "dateReserved": "2025-08-20T14:30:35.009Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-25T21:04:52.642Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0."}, {"lang": "es", "value": "h2 es una implementaci\u00f3n puramente en Python de una pila de protocolos HTTP/2. Antes de la versi\u00f3n 4.3.0, una vulnerabilidad de divisi\u00f3n de solicitudes HTTP/2 permit\u00eda a los atacantes realizar ataques de contrabando de solicitudes mediante la inyecci\u00f3n de caracteres CRLF en los encabezados. Esto ocurre cuando los servidores degradan las solicitudes HTTP/2 a HTTP/1.1 sin validar correctamente los nombres/valores de los encabezados, lo que permite a los atacantes manipular los l\u00edmites de las solicitudes y eludir los controles de seguridad. Este problema se ha corregido en la versi\u00f3n 4.3.0."}], "id": "CVE-2025-57804", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-08-25T21:15:37.983", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/python-hyper/h2/commit/035e9899f95e3709af098f578bfc3cd302298e3a"}, {"source": "security-advisories@github.com", "url": "https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00004.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "h2: h2 allows HTTP Request Smuggling due to illegal characters in headers", "id": "2390942", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2390942"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-93", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability."}, "name": "CVE-2025-57804", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh-dev-preview-beta/istio-ztunnel-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-cni-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-must-gather-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-pilot-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-proxyv2-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-rhel9-operator", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-sail-operator-bundle", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh-tech-preview/istio-ztunnel-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-24/ee-supported-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-25/ee-cloud-services-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}], "public_date": "2025-08-25T21:04:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-57804\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-57804\nhttps://github.com/python-hyper/h2/commit/035e9899f95e3709af098f578bfc3cd302298e3a\nhttps://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h"], "statement": "This issue is classified as Moderate rather than Important because its impact is constrained to integrity violations through request injection, without directly compromising confidentiality or availability. The flaw arises only in environments where HTTP/2 traffic is downgraded to HTTP/1.1 by intermediaries, which is not the default behavior in many deployments. Moreover, successful exploitation requires specific backend or proxy configurations that fail to sanitize CRLF sequences properly. As a result, the vulnerability does not universally expose systems to privilege escalation or data leakage but instead enables request manipulation under certain conditions.", "threat_severity": "Moderate"}

{"created": "2025-08-26T08:54:54.114502+00:00", "updated": "2025-08-26T08:54:54.114554+00:00", "vendors": ["hyper", "hyper$PRODUCT$h2"]}