CVE-2024-2653 Overview
CVE-2024-2653 is a denial of service vulnerability affecting the amphp/http library, a popular asynchronous HTTP client and server implementation for PHP. The vulnerability exists in the handling of HTTP/2 CONTINUATION frames, where the library collects these frames in an unbounded buffer without checking size limits until it receives the END_HEADERS flag. This improper resource management can be exploited by remote attackers to cause an Out-of-Memory (OOM) crash, resulting in service unavailability.
Critical Impact
Remote attackers can exploit this vulnerability to crash amphp/http-based applications by sending specially crafted HTTP/2 CONTINUATION frames, causing memory exhaustion and denial of service without requiring authentication.
Affected Products
- amphp/http (PHP HTTP library)
- amphp/http-client (PHP HTTP client library)
- Applications and services built using vulnerable amphp/http versions
Discovery Timeline
- April 3, 2024 - CVE-2024-2653 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-2653
Vulnerability Analysis
This vulnerability stems from improper handling of HTTP/2 CONTINUATION frames within the amphp/http library. In the HTTP/2 protocol, CONTINUATION frames are used to continue a sequence of header block fragments when headers are too large to fit in a single HEADERS frame. The protocol expects implementations to properly manage memory when accumulating these fragments.
The amphp/http library fails to implement proper bounds checking during the accumulation of CONTINUATION frames. Instead of validating buffer size incrementally as frames arrive, the library continues to collect frame data into an unbounded buffer. Size validation only occurs after the END_HEADERS flag is received, which signals the completion of the header block. This design flaw allows an attacker to send an arbitrarily large number of CONTINUATION frames before triggering the size check, leading to memory exhaustion.
Root Cause
The root cause is a resource exhaustion vulnerability due to improper input validation in the HTTP/2 frame processing logic. The library's implementation defers size limit checks until header transmission is complete rather than enforcing limits incrementally. This violates secure coding practices that require input validation at boundaries and resource consumption limits during data accumulation.
Attack Vector
An attacker can exploit this vulnerability remotely over the network without requiring any authentication or user interaction. The attack involves establishing an HTTP/2 connection to a vulnerable server or client and sending a sequence of CONTINUATION frames without the END_HEADERS flag set. Each frame adds data to the buffer without triggering size validation. By continuing to send these frames, the attacker can force the target to allocate memory until the system runs out of available memory, triggering an OOM condition and crashing the application.
The attack is particularly effective because HTTP/2 connections are typically persistent and multiplexed, allowing an attacker to maintain the malicious stream while the target continues normal operations until memory is exhausted.
Detection Methods for CVE-2024-2653
Indicators of Compromise
- Unusual memory consumption spikes on servers running amphp/http-based applications
- Application crashes with OOM (Out-of-Memory) errors in amphp/http components
- HTTP/2 connections with abnormally high numbers of CONTINUATION frames
- Increased frequency of process restarts for PHP-based HTTP services
Detection Strategies
- Monitor memory usage patterns for amphp/http application processes to detect gradual memory exhaustion
- Implement HTTP/2 frame inspection at network level to detect streams with excessive CONTINUATION frames
- Configure application-level logging to capture HTTP/2 frame statistics and identify anomalous patterns
- Deploy SentinelOne Singularity Platform to detect resource exhaustion attacks and memory anomalies
Monitoring Recommendations
- Set up memory threshold alerts for processes running amphp/http-based services
- Monitor HTTP/2 connection statistics for unusual frame patterns or connection durations
- Track application restart frequency to identify potential exploitation attempts
- Review network traffic for connections maintaining HTTP/2 streams without END_HEADERS completion
How to Mitigate CVE-2024-2653
Immediate Actions Required
- Update amphp/http to the latest patched version immediately
- Update amphp/http-client if used in your application stack
- Implement memory limits at the process or container level to prevent system-wide impact
- Consider temporarily disabling HTTP/2 support if patching is not immediately possible
Patch Information
Security patches addressing this vulnerability have been released by the amphp project maintainers. Users should consult the GitHub Security Advisory GHSA-qjfw-cvjf-f4fm for amphp/http and GitHub Security Advisory GHSA-w8gf-g2vq-j2f4 for amphp/http-client for specific version information and upgrade instructions. Additional coordination details are available through CERT Vulnerability Note #421644.
Workarounds
- Configure reverse proxies (nginx, HAProxy) to limit HTTP/2 header sizes and frame counts before requests reach the application
- Implement process-level memory limits using PHP's memory_limit directive or container resource constraints
- Deploy rate limiting on HTTP/2 connections to reduce the effectiveness of exploitation attempts
- Consider using HTTP/1.1 only until patches can be applied if HTTP/2 is not a strict requirement
# Example PHP memory limit configuration in php.ini
memory_limit = 256M
# Example Docker container memory limit
docker run --memory="512m" --memory-swap="512m" your-amphp-app
# Example nginx HTTP/2 header size limit (upstream proxy)
http2_max_header_size 16k;
http2_max_field_size 4k;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
