Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 4 Aug 2016 10:18:55 +0100
From: Cory Benfield <>
Subject: CVE-2016-6581, Python HPACK and old Python Hyper releases: HPACK Bomb


Hyper Project security advisory, August 4th 2016.


A HTTP/2 implementation built using the priority library could be targetted for
a denial of service attack based on HPACK, specifically a so-called "HPACK
Bomb" attack.

This attack occurs when an attacker inserts a header field that is exactly the
size of the HPACK dynamic header table into the dynamic header table. The
attacker can then send a header block that is simply repeated requests to
expand that field in the dynamic table. This can lead to a gigantic compression
ratio of 4,096 or better, meaning that 16kB of data can decompress to 64MB of
data on the target machine.

It only takes a few such header blocks before the attacker has forced the
target to allocate gigabytes of memory, which will take the process down. This
requires relatively few resources on the part of the attacker.

While we are not aware of any attacker actively exploiting this vulnerability,
it has been public disclosed in this report[1], and so users should assume that
they are likely to be targetted by such an attack.


This issue has been given the name CVE-2016-6581.

Affected Versions

This issue affects all versions of the HPACK library prior to 2.3.0. It also
affects versions of the Hyper client library earlier than 0.6.0, which bundled
a copy of the HPACK library.

The Solution

In version 2.3.0, the HPACK library limits the maximum decompressed size of the
header block. It does so by essentially adding support for the HTTP/2 setting
``SETTINGS_MAX_HEADER_LIST_SIZE``. This value defaults to 64kB, but is

If it is necessary to backport a patch, the patch can be found in
this GitHub pull request[2].


We suggest you take the following actions immediately, in order of preference:

1. Update HPACK to 2.3.0 immediately.
2. Backport the patch made available on GitHub.
3. Substantially decrease the maximum size of the compressed header block your
   application will accept, or alternatively ensure that each decompressed
   header block is freed before your application processes the next one.

If you have a copy of the Hyper client library, we recommend taking the
following actions, in order of preference:

1. Update hyper to any version later than 0.6.0
2. Backport the patch made available on GitHub.


This class of vulnerability was publicly reported in this report[1] on the
3rd of August. We requested a CVE ID from Mitre the same day.

HPACK 2.3.0 was released on the 4th of August, at the same time as the
publication of this advisory.


Cory Benfield, on behalf of the Python Hyper project.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.