CVE-2025-57804

NameCVE-2025-57804
Descriptionh2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4290-1
Debian Bugs1112348

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-h2 (PTS)bullseye4.0.0-3vulnerable
bullseye (security)4.0.0-3+deb11u1fixed
bookworm4.1.0-4vulnerable
forky, sid, trixie4.2.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-h2sourcebullseye4.0.0-3+deb11u1DLA-4290-1
python-h2source(unstable)(unfixed)1112348

Notes

[trixie] - python-h2 <no-dsa> (Minor issue)
[bookworm] - python-h2 <no-dsa> (Minor issue)
https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h
https://github.com/python-hyper/h2/commit/883ed37be42592b2f0aa0caddab6ca5e3d668fa3 (v4.3.0)
https://github.com/python-hyper/h2/commit/035e9899f95e3709af098f578bfc3cd302298e3a (v4.3.0)
Search for package or bug name: Reporting problems