CVE-2016-6580: DoS via Unlimited Stream Insertion

January 10, 2017 (updated January 27, 2017)

An HTTP/2 implementation built using the priority library could be targeted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the priority information for each stream, and would therefore allocate unbounded amounts of memory. Attempting to actually use a tree like this would also cause extremely high CPU usage to maintain the tree.

References

www.imperva.com/docs/Imperva_HII_HTTP2.pdf
github.com/python-hyper/priority/pull/23

Code Behaviors & Features

Detect and mitigate CVE-2016-6580 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →