Decompression Vulnerability in Proxygen HTTP2 by Facebook
CVE-2019-11940

9.8CRITICAL

Key Information:

Vendor: Facebook
Status: Proxygen
Vendor: CVE Published:; 4 December 2019

What is CVE-2019-11940?

A vulnerability exists in Facebook's Proxygen related to the HTTP2 protocol where a sequence of unexpected header table resize operations can lead to a corrupted state. This condition results in a use-after-free scenario, which may trigger undefined behavior and potentially impact application stability. Affected versions range from Proxygen v0.29.0 to v2017.04.03.00, necessitating immediate attention to apply necessary updates and patches.

Affected Version(s)

Proxygen v2017.04.03.00

Proxygen v0.29.0

Proxygen < unspecified

References

https://github.com/facebook/proxygen/commit/f43b134cc5c19...

x_refsource_MISC

https://www.facebook.com/security/advisories/cve-2019-11940

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2019
Vulnerability Reserved
May 13, 2019