LibHTP is a security-aware parser for the HTTP protocol and its related bits and pieces. In versions 0.5.50 and below, there is a traffic-induced memory leak that can starve the process of memory, leading to loss of visibility. To workaround this issue, set `suricata.yaml app-layer.protocols.http.libhtp.default-config.lzma-enabled` to false. This issue is fixed in version 0.5.51.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-07-23
LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. Prior to version 0.5.49, unbounded processing of HTTP request and response headers can lead to excessive CPU time and memory utilization, possibly leading to extreme slowdowns. This issue is addressed in 0.5.49.
CVSS Score
7.5
EPSS Score
0.003
Published
2024-10-16
LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. Version 0.5.46 may parse malformed request traffic, leading to excessive CPU usage. Version 0.5.47 contains a patch for the issue. No known workarounds are available.
CVSS Score
7.5
EPSS Score
0.005
Published
2024-04-04
LibHTP is a security-aware parser for the HTTP protocol. Crafted traffic can cause excessive processing time of HTTP headers, leading to denial of service. This issue is addressed in 0.5.46.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-02-26
In OISF LibHTP before 0.5.31, as used in Suricata 4.1.4 and other products, an HTTP protocol parsing error causes the http_header signature to not alert on a response with a single \r\n ending.
CVSS Score
5.3
EPSS Score
0.002
Published
2019-10-10
htp_parse_authorization_digest in htp_parsers.c in LibHTP 0.5.26 allows remote attackers to cause a heap-based buffer over-read via an authorization digest header.
CVSS Score
9.8
EPSS Score
0.008
Published
2019-04-04
libhtp 0.5.15 allows remote attackers to cause a denial of service (NULL pointer dereference).
CVSS Score
7.5
EPSS Score
0.008
Published
2017-08-28