Description
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
Remediation
References
Related Vulnerabilities
MyBB Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-29457)
OpenSSL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-0702)
Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-0245)
Oracle JRE CVE-2012-4416 Vulnerability (CVE-2012-4416)
WordPress Plugin Titan Framework Cross-Site Scripting (1.7.5)