CVE Catalog

CVE-2026-54399

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.41%

33th percentile — higher than 33% of all known CVEs

Summary

An uncontrolled resource consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (versions 5.4.2 and earlier, 5.5-beta1 and earlier) allows a remote attacker to cause a denial of service through memory exhaustion by sending messages with an excessive number of headers or excessive header length.

Risk Assessment

The organization is at risk of DoS attacks that could lead to unavailability of services based on Apache HttpComponents Core, potentially disrupting application operations and affecting business continuity.

Recommendation

Immediately upgrade Apache HttpComponents Core to version 5.4.3 or later (post 5.5-beta1). If an upgrade is not possible, restrict access to services using this library and implement mechanisms to limit the number and length of HTTP headers.

Original NVD description (English source)

Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers / excessive header length

Vulnerability data from NVD (NIST) · CISA KEV · EPSS