HTTP/2 C library and tools

Nghttp2 v1.39.2

We have released nghttp2 v1.39.2.

This release addresses following security issues.

Security Advisory

  • CVE-2019-9511: Data Dribble
  • CVE-2019-9513: Resource Loop


The details of advisories are described here.

libnghttp2 itself is not affected by vulnerabilities reported above.

nghttpx and nghttpd are subject to Denial of Service by consuming CPU time with CVE-2019-9511 and CVE-2019-9513.

Affected Versions

  • Affected versions: nghttp2 version < 1.39.2
  • Not affected versions: nghttp2 >= 1.39.2

The Solution

Upgrade to nghttp2 v1.39.2.

For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.