We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-53538

Suricata's mishandling of data on HTTP2 stream 0 can lead to resource starvation



Description

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parser, and using a signature like drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte test tests the HTTP2 frame type DATA and the second tests the stream id 0. This is fixed in versions 7.0.11 and 8.0.0.

Reserved 2025-07-02 | Published 2025-07-22 | Updated 2025-07-22 | Assigner GitHub_M


HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-400: Uncontrolled Resource Consumption

Product status

< 7.0.11
affected

>= 8.0.0-beta1, < 8.0.0
affected

References

github.com/...ricata/security/advisories/GHSA-qrr7-crgj-cmh3

github.com/...ommit/1d6d331752e933c46aca0ae7a9679b27462246e3

github.com/...ommit/7fa88ea9e7d05e07a7864050cfd836b576669720

cve.org (CVE-2025-53538)

nvd.nist.gov (CVE-2025-53538)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-53538

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.