CVE-2024-45797 – CVE-2024-45797 is a resource exhaustion vulnera... (How to Fix)

Q: What is the severity of CVE-2024-45797?

CVE-2024-45797 has a CVSS score of 7.5 (HIGH). CVE-2024-45797 is a resource exhaustion vulnerability in LibHTP, a widely-used HTTP parser library. Attackers can send specially crafted HTTP requests with excessive headers to cause denial of service through CPU and memory exhaustion. This affects any system using vulnerable versions of LibHTP, including Suricata IDS/IPS, Wazuh, and other security tools.

📋 TL;DR

CVE-2024-45797 is a resource exhaustion vulnerability in LibHTP, a widely-used HTTP parser library. Attackers can send specially crafted HTTP requests with excessive headers to cause denial of service through CPU and memory exhaustion. This affects any system using vulnerable versions of LibHTP, including Suricata IDS/IPS, Wazuh, and other security tools.

💻 Affected Systems

Products:

Suricata
Wazuh
Security Onion
Any application using LibHTP library

Versions: LibHTP versions prior to 0.5.49

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Systems processing HTTP traffic are most vulnerable. The vulnerability is in the library itself, so any application linking against vulnerable LibHTP versions is affected.

📦 What is this software?

Libhtp by Oisf

View all CVEs affecting Libhtp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through denial of service, potentially affecting critical security monitoring systems and causing cascading failures in dependent applications.

🟠

Likely Case

Performance degradation and intermittent service interruptions in systems processing HTTP traffic, particularly affecting security monitoring tools and web applications.

🟢

If Mitigated

Minimal impact with proper rate limiting, input validation, and updated versions, though some performance overhead may remain.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP traffic to vulnerable systems. No authentication is needed, making this easily weaponizable in botnets or automated attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.49

Vendor Advisory: https://github.com/OISF/libhtp/security/advisories/GHSA-rqqp-24ch-248f

Restart Required: Yes

Instructions:

1. Update LibHTP to version 0.5.49 or later. 2. For Suricata: Update to version 7.0.6 or later. 3. For Wazuh: Update to version 4.9.0 or later. 4. Restart affected services after updating.

🔧 Temporary Workarounds

Rate limiting HTTP headers

all

Implement rate limiting or size restrictions on HTTP headers at network perimeter devices or web application firewalls.

Suricata configuration tuning

linux

Configure Suricata to limit maximum HTTP header size and processing time.

suricata -c /etc/suricata/suricata.yaml --set http.request-header-limit=8192
suricata -c /etc/suricata/suricata.yaml --set http.response-header-limit=8192

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems from untrusted networks.
Deploy web application firewalls with HTTP header size and count restrictions.

🔍 How to Verify

Check if Vulnerable:

Check LibHTP version: ldd /path/to/application | grep libhtp, then check version in library metadata.

Check Version:

For Suricata: suricata --build-info | grep libhtp

Verify Fix Applied:

Verify LibHTP version is 0.5.49 or later: strings /usr/lib/libhtp.so | grep 'libhtp version'

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes in LibHTP processes
Memory exhaustion warnings
HTTP parsing errors or timeouts

Network Indicators:

Unusually large HTTP headers in traffic
Multiple HTTP requests with excessive headers from single sources

SIEM Query:

source="suricata" AND (event_type="alert" AND alert.signature_id=* AND alert.signature="ET POLICY HTTP Request Header Overflow Attempt")

📊 Metadata

CVE ID: CVE-2024-45797

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: October 16, 2024

Last Updated: November 3, 2025

🔗 References

https://github.com/OISF/libhtp/security/advisories/GHSA-rqqp-24ch-248f Exploit,Issue Tracking,Patch,Vendor Advisory
https://redmine.openinfosecfoundation.org/issues/7191 Exploit,Issue Tracking,Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/09/msg00009.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45797, you might also want to check these: