CVE Tools
Sign in

CVE-2023-26044

ReactPHP's HTTP server continues parsing unused multipart parts after reaching limits

Published: May 17, 2023Updated: Nov 21, 2024 Sources: CVE List NVD GHSACWE-400
NVD MITRE
5.3CVSSMEDIUM
EPSS Score
0.7%
Top 52.5%
CISA KEV
Not in KEV
Exploits
1 Known
Remediation
Patch Available

Description

react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the RequestBodyBufferMiddleware with very large settings. This might lead to consuming large amounts of CPU time for processing requests and significantly delay or slow down the processing of legitimate user requests. This issue has been addressed in release 1.9.0. Users are advised to upgrade. Users unable to upgrade may keep the request body limited using RequestBodyBufferMiddleware with a sensible value which should mitigate the issue. An infrastructure or DevOps workaround could be to place a reverse proxy in front of the ReactPHP HTTP server to filter out any excessive HTTP request bodies.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:NA:L
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:NIntegrity
None
A:LAvailability
Low
Open in CVSS calculator →

Weaknesses

CWE-400NVD-CWE-noinfo

Affected Products

httpreactphp
Library
OSS Libraries / web-framework
react/httpPackagistOSS Libraries
reactphposs-projectOSS Libraries
packagistpackage-ecosystemOSS Libraries

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

1 exploit source identified

Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.

View exploit details
Official Patch Available

MITRE ATT&CK

1 technique
Impact
View detailed technique mapping

References

https://github.com/reactphp/http/security/advisories/GHSA-95x4-j7vc-h8mf
github.com
https://github.com/reactphp/http/commit/9681f764b80c45ebfb5fe2ea7da5bd3babfcdcfd
github.com
https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv
github.com
and 6 more references View all →

Timeline

Published
May 17, 2023
Last Updated
Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2023-26044 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows