CVE-2025-57804 MEDIUM

CVE-2025-57804: h2 allows HTTP Request Smuggling due to illegal characters in headers

Vendor Python-Hyper
Product h2
Weakness CWE-93 · CRLF injection
Published August 25, 2025
Last update November 3, 2025

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

What the vulnerability does

01Description

h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0.

Key dates

02Disclosure timeline

August 25, 2025 CVE published
November 3, 2025 Record updated