Login Sign Up

CVE-2024-28871

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2024-28871 is a denial-of-service vulnerability in LibHTP's HTTP parser where malformed request traffic causes excessive CPU usage. This affects any system using LibHTP version 0.5.46 for HTTP parsing, potentially leading to service degradation or unavailability. The vulnerability is fixed in version 0.5.47.

💻 Affected Systems

Products:
  • LibHTP
  • Suricata (when using LibHTP)
  • Other products embedding LibHTP
Versions: Version 0.5.46 only
Operating Systems: All operating systems using affected LibHTP version
Default Config Vulnerable: ⚠️ Yes
Notes: Any application or security tool using LibHTP 0.5.46 for HTTP parsing is vulnerable regardless of configuration.

📦 What is this software?

Libhtp by Oisf

View all CVEs affecting Libhtp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage due to CPU exhaustion, making affected systems unresponsive to legitimate traffic.

🟠

Likely Case

Performance degradation and intermittent service disruptions under sustained malicious traffic.

🟢

If Mitigated

Minimal impact with proper monitoring and rapid response to anomalous CPU spikes.

🌐 Internet-Facing: HIGH - Internet-facing systems are directly exposed to malicious HTTP traffic.
🏢 Internal Only: MEDIUM - Internal systems could be exploited by compromised internal hosts or malicious insiders.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending malformed HTTP requests, which is straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.47

Vendor Advisory: https://github.com/OISF/libhtp/security/advisories/GHSA-ffr2-45w9-7wmg

Restart Required: Yes

Instructions:

1. Identify systems using LibHTP 0.5.46
2. Update to LibHTP 0.5.47 via package manager or source compilation
3. Restart affected services using LibHTP
4. Verify version update with 'libhtp-config --version' or equivalent

🔧 Temporary Workarounds

No official workarounds

all

The advisory states no known workarounds exist. Patching is the only mitigation.

🧯 If You Can't Patch

  • Implement network filtering to block malformed HTTP traffic at perimeter devices
  • Deploy rate limiting and anomaly detection to identify and block DoS attempts

🔍 How to Verify

Check if Vulnerable:

Check LibHTP version: 'libhtp-config --version' or examine package manager output. Version 0.5.46 is vulnerable.

Check Version:

libhtp-config --version

Verify Fix Applied:

Confirm version is 0.5.47 or higher using version check command and monitor CPU usage during normal traffic.

📡 Detection & Monitoring

Log Indicators:

  • Unusual CPU spikes in monitoring logs
  • HTTP parsing errors or malformed request logs

Network Indicators:

  • High volume of malformed HTTP requests to affected systems
  • Abnormal traffic patterns causing CPU alerts

SIEM Query:

source="*cpu*" AND (message="*high*" OR message="*spike*") AND host="*affected-system*"

📊 Metadata

CVE ID: CVE-2024-28871
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
Published: April 4, 2024
Last Updated: June 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28871, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)