CVE-2024-45797

LibHTP's unbounded header handling leads to denial service

CVSS 7.5 HIGHEPSS 0.7%CWE-770

In short

LibHTP, a library that reads HTTP messages, doesn't limit how many headers it processes. An attacker can send a request with thousands of headers to make the server extremely slow or run out of memory.

Technical detail

LibHTP versions before 0.5.49 lack input validation on HTTP header count and size, allowing remote attackers to trigger unbounded resource consumption (CPU and memory) via malformed or oversized header payloads, resulting in denial of service. The vulnerability affects both request and response header processing without proper bounds enforcement.

Summary generated and translated by AI from the official description.

LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. Prior to version 0.5.49, unbounded processing of HTTP request and response headers can lead to excessive CPU time and memory utilization, possibly leading to extreme slowdowns. This issue is addressed in 0.5.49.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

OISF · libhtp

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/OISF/libhtp/security/advisories/GHSA-rqqp-24ch-248f https://lists.debian.org/debian-lts-announce/2025/09/msg00009.html https://redmine.openinfosecfoundation.org/issues/7191