securityonline.info 7/2/2026, 5:52:35 PM · external

Apache HttpComponents Core Patches Two DoS Vulnerabilities in HTTP Parsers

Apache HttpComponents Core Patches Two DoS Vulnerabilities in HTTP Parsers
CyberSIXT Evidence Panel
CISA KEV Not in KEV
Patch Patch Status Unknown

THE Apache Software Foundation has reported two vulnerabilities in the Apache HttpComponents Core: CVE-2026-54399 and CVE-2026-54428, both rated as High severity (CVSS 7.5). They can potentially allow remote denial-of-service attacks through memory exhaustion, but no public exploits have been confirmed. CVE-2026-54399 is related to unbounded HTTP/1.1 headers allowing attackers to send excessive headers, while CVE-2026-54428 pertains to HPACK decoding before SETTINGS ACK which can lead to resource allocation issues.

The affected versions include httpcore5 versions 5.4.2 and earlier, and developers are advised to update to newer builds and enforce strict header limits to mitigate the risks.

View full article

Article by CyberSIXT