This vulnerability impacts the open source Go spdystream library for multiplexing streams over SPDY connections. The SPDY/3 frame parser does not validate attacker-controlled frame counts and lengths before allocating memory, affecting three distinct code paths. A small compressed on-the-wire payload can decompress into extremely large attacker-controlled allocation sizes, leading to process out-of-memory crashes. A remote unauthenticated attacker can trigger this denial of service with a single crafted SPDY frame.
Remediation
Upgrade the spdystream library to version 0.5.1 or later, which fixes this issue. Audit application dependencies to confirm the patched version is pulled into your build and runtime environments. If immediate upgrade is not possible, restrict access to SPDY endpoints to only trusted peers.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.