{"id":"CVE-2016-6581","details":"A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called \"HPACK Bomb\" attack. This attack occurs when an attacker inserts a header field that is exactly the size of the HPACK dynamic header table into the dynamic header table. The attacker can then send a header block that is simply repeated requests to expand that field in the dynamic table. This can lead to a gigantic compression ratio of 4,096 or better, meaning that 16kB of data can decompress to 64MB of data on the target machine.","aliases":["GHSA-ffq8-576r-v26g","PYSEC-2017-87"],"modified":"2026-04-10T03:52:43.458744Z","published":"2017-01-10T15:59:00.423Z","related":["openSUSE-SU-2024:11230-1","openSUSE-SU-2024:14140-1"],"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/92315"},{"type":"ADVISORY","url":"https://python-hyper.org/hpack/en/latest/security/CVE-2016-6581.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python-hyper/hpack","events":[{"introduced":"0"},{"last_affected":"fc618368a4b0c56a6bcce776787fc21cacbb5b10"},{"introduced":"0"},{"last_affected":"42ac8ce70560ae64076bcc840bd0d75d51ef8f02"},{"introduced":"0"},{"last_affected":"1258828f27a605f7efc7b84327d607e63b62bbcd"},{"introduced":"0"},{"last_affected":"89c71490c2f24a332dfd86f238caf82a2495d818"},{"introduced":"0"},{"last_affected":"ab9e9a65a6be582b33dae280b87daba269377f98"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0"},{"introduced":"0"},{"last_affected":"2.0"},{"introduced":"0"},{"last_affected":"2.0.1"},{"introduced":"0"},{"last_affected":"2.1.1"},{"introduced":"0"},{"last_affected":"2.2"}]}}],"versions":["v1.0.0","v1.0.1","v1.1.0","v2.0.0","v2.0.1","v2.1.0","v2.1.1","v2.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6581.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"0.6"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}