GHSA-8grv-jq2g-cfhw: amphp/http-server affected by HTTP/2 DDoS vulnerability

February 10, 2026

Versions of amphp/http-server prior to 3.4.4 for the 3.x release branch and prior to 2.1.10 for the 2.x release branch are vulnerable to the HTTP/2 “MadeYouReset” DoS attack described by CVE-2025-8671 and https://kb.cert.org/vuls/id/767506.

In versions 3.4.4 and 2.1.10, stream reset protection has been refactored to account for the number of reset streams within a sliding time window.

Note that your application must expose HTTP/2 connections directly to be affected by this vulnerability. Servers behind a proxy using HTTP/1.x such as nginx are not affected.

References

github.com/advisories/GHSA-8grv-jq2g-cfhw
github.com/amphp/http-server
github.com/amphp/http-server/releases/tag/v2.1.10
github.com/amphp/http-server/releases/tag/v3.4.4
github.com/amphp/http-server/security/advisories/GHSA-8grv-jq2g-cfhw

Code Behaviors & Features

Detect and mitigate GHSA-8grv-jq2g-cfhw with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →