GHSA-pj86-258h-qrvf: Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration

GHSA-vr6p-vq2p-6j74: LikeC4 has RCE through vulnerable React and Next.js versions

GHSA-wwrj-3hvj-prpm: Misskey has a login rate limit bypass via spoofed X-Forwarded-For header

GHSA-496g-mmpw-j9x3: misskey.js's export data contains private post data

GHSA-m6hq-f4w9-qrjj: Weblate has improper validation upon invitation acceptance

`amphp/http` will collect HTTP/2 `CONTINUATION` frames in an unbounded buffer and will not check the header size limit until it has received the `END_HEADERS` flag, resulting in an OOM crash. `amphp/http-client` and `amphp/http-server` are indirectly affected if they're used with an unpatched version of `amphp/http`. Early versions of `amphp/http-client` with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected.

## Acknowledgements

Thank you to [Bartek Nowotarski](https://nowotarski.info/) for reporting the vulnerability.

**AMPHP Denial of Service via HTTP/2 CONTINUATION Frames**

High severity GitHub Reviewed Published Apr 3, 2024 in amphp/http • Updated Apr 3, 2024

Headline

GHSA-qjfw-cvjf-f4fm: AMPHP Denial of Service via HTTP/2 CONTINUATION Frames

Acknowledgements

ghsa: Latest News