Suricata’s mishandling of data on HTTP2 stream 0 can lead...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parser, and using a signature like drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte test tests the HTTP2 frame type DATA and the second tests the stream id 0. This is fixed in versions 7.0.11 and 8.0.0.

Basic Information

ID CVE-2025-53538

Source GitHub_M

Published Jul 22, 2025 at 21:36

Modified Jul 23, 2025 at 18:32

Affected Product

Vendor OISF

Product suricata

Version < 7.0.11

Affected Versions OISF suricata < 7.0.11
OISF suricata >= 8.0.0-beta1, < 8.0.0

CWE Classification

CWE-770 CWE-400

References

{
    "lastseen": "",
    "description": "Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and  8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parser, and using a signature like drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte test tests the HTTP2 frame type DATA and the second tests the stream id 0. This is fixed in versions 7.0.11 and 8.0.0.",
    "published": "2025-07-22T21:36:03.976Z",
    "modified": "2025-07-23T18:32:21.856Z",
    "type": "cve",
    "title": "Suricata's mishandling of data on  HTTP2 stream 0 can lead to resource starvation",
    "source": "GitHub_M",
    "references": "https://github.com/OISF/suricata/security/advisories/GHSA-qrr7-crgj-cmh3\nhttps://github.com/OISF/suricata/commit/1d6d331752e933c46aca0ae7a9679b27462246e3\nhttps://github.com/OISF/suricata/commit/7fa88ea9e7d05e07a7864050cfd836b576669720",
    "id": "CVE-2025-53538",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770",
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "OISF suricata < 7.0.11\nOISF suricata >= 8.0.0-beta1, < 8.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "suricata",
    "version": "< 7.0.11",
    "vendor": "OISF",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Suricata’s mishandling of data on HTTP2 stream 0 can lead to resource starvation_CVE-2025-53538