This page lists publicly disclosed CVE vulnerabilities affecting oisf libhtp (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-53537 | LibHTP is a security-aware parser for the HTTP protocol and its related bits and pieces. In versions 0.5.50 and below, there is a traffic-induced memory leak that can starve the process of memory, leading to loss of visibility. To workaround this issue, set `suricata.yaml app-layer.protocols.http.libhtp.default-config.lzma-enabled` to false. This issue is fixed in version 0.5.51. | [email protected] | 7.5 | 0.40% | 2025-07-23 | 2025-08-05 |
| CVE-2024-45797 | LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. Prior to version 0.5.49, unbounded processing of HTTP request and response headers can lead to excessive CPU time and memory utilization, possibly leading to extreme slowdowns. This issue is addressed in 0.5.49. | [email protected] | 7.5 | 0.70% | 2024-10-16 | 2025-11-03 |
| CVE-2024-28871 | LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. Version 0.5.46 may parse malformed request traffic, leading to excessive CPU usage. Version 0.5.47 contains a patch for the issue. No known workarounds are available. | [email protected] | 7.5 | 0.84% | 2024-04-04 | 2025-06-30 |
| CVE-2024-23837 | LibHTP is a security-aware parser for the HTTP protocol. Crafted traffic can cause excessive processing time of HTTP headers, leading to denial of service. This issue is addressed in 0.5.46. | [email protected] | 7.5 | 1.19% | 2024-02-26 | 2025-11-03 |
| CVE-2019-17420 | In OISF LibHTP before 0.5.31, as used in Suricata 4.1.4 and other products, an HTTP protocol parsing error causes the http_header signature to not alert on a response with a single \r\n ending. | [email protected] | 5.3 | 1.35% | 2019-10-10 | 2024-11-21 |
| CVE-2018-10243 | htp_parse_authorization_digest in htp_parsers.c in LibHTP 0.5.26 allows remote attackers to cause a heap-based buffer over-read via an authorization digest header. | [email protected] | 9.8 | 2.30% | 2019-04-04 | 2024-11-21 |
| CVE-2015-0928 | libhtp 0.5.15 allows remote attackers to cause a denial of service (NULL pointer dereference). | [email protected] | 7.5 | 2.34% | 2017-08-28 | 2026-05-13 |