EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Apache HttpComponents Core, specifically affecting versions 5.4.2 and earlier, as well as 5.5-beta1. The vulnerabilities are of the denial-of-service type, allowing remote attackers to exhaust server memory, posing a significant business risk and impact. This can lead to application crashes and disruptions, affecting services beyond the Apache ecosystem.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Apache HttpComponents Core, specifically affecting versions 5.4.2 and earlier, as well as 5.5-beta1. The vulnerabilities are of the denial-of-service type, allowing remote attackers to exhaust server memory, posing a significant business risk and impact. This can lead to application crashes and disruptions, affecting services beyond the Apache ecosystem.[emaillocker id="1283"]
• CVE-2026-54399 with a CVSS score of 7.5 – This vulnerability allows attackers to send messages with an excessive number of headers or oversized header lines, causing memory exhaustion. It affects the httpcore5 module and can be exploited without authentication.
• CVE-2026-54428 with a CVSS score of 7.5 – This vulnerability enables attackers to push oversized compressed header blocks before the SETTINGS acknowledgement arrives, triggering memory exhaustion. It affects the httpcore5-h2 module and also requires no authentication.
The identified vulnerabilities pose a significant risk to businesses, as they can be exploited to disrupt services and cause memory exhaustion. If left unaddressed, these vulnerabilities can lead to application crashes and disruptions, resulting in business downtime and potential financial losses. The lack of authentication requirements for these vulnerabilities increases the urgency of addressing them to prevent potential attacks.
RECOMMENDATION:
We recommend you to refer below link: https://hc.apache.org/download.html
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/apache-httpcomponents-core-dos/