logo

Apache HttpComponents Core Patches Two DoS Vulnerabilities in HTTP Parsers

ID: 2e52780b-d155-51de-8d43-d3c3198d7f8c

STIX ID: report--2e52780b-d155-51de-8d43-d3c3198d7f8c

Feed Name: securityonline.info

Threat Score
55/100

Date Published: 2026-07-02

Date Updated: 2026-07-02

Author: Do Son

...
...

The report discloses two important Apache HttpComponents Core vulnerabilities (CVE-2026-54399 and CVE-2026-54428) that enable unauthenticated remote denial-of-service through memory exhaustion by abusing unbounded HTTP/1.1 headers and HPACK decoding before SETTINGS ACK; affected httpcore5 and httpcore5-h2 releases (5.4.2 and earlier, plus 5.5-beta1) have patched builds available and operators are advised to update dependencies and enforce header limits at the edge. No exploitation in the wild or public proof-of-concept has been confirmed.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.