Actions
Security #7658
closedhttp2: global tx (stream id 0) may open file and never close it
Git IDs:
1d6d331752e933c46aca0ae7a9679b27462246e3
Severity:
HIGH
Disclosure Date:
07/26/2025
Description
Per RFC 9113 section 5.1.1
the stream identifier of zero cannot be used to establish a new stream
So, we should not accept DATA frame with a stream id 0
Somes from oss-fuzz https://issues.oss-fuzz.com/u/1/issues/42534790
Updated by Philippe Antoine 4 months ago
Or section 6.1
If a DATA frame is received whose Stream Identifier field is 0x00, the recipient MUST respond with a connection error (Section 5.4.1) of type PROTOCOL_ERROR
Updated by Philippe Antoine 3 months ago
- Tracker changed from Bug to Security
- Severity set to MODERATE
- Disclosure Date set to 07/26/2024
Updated by Philippe Antoine 3 months ago
- Disclosure Date changed from 07/26/2024 to 07/26/2025
Updated by Philippe Antoine about 2 months ago
- Target version changed from 8.0.0-rc1 to 8.0.0
No security fix in rc1
Updated by Victor Julien about 2 months ago
- Severity changed from MODERATE to HIGH
Updated by Juliana Fajardini Reichow 26 days ago
- CVE set to 2025-53538
Updated by Philippe Antoine 24 days ago
- Status changed from Resolved to Closed
Fixed by commit 1d6d331752e933c46aca0ae7a9679b27462246e3
Actions