CVE-2018-6335: Denial of Service (CWE-400) in Facebook HHVM
A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. This behavior can lead to denial-of-service. This affects all supported versions of HHVM (3.25.2, 3.24.6, and 3.21.10 and below) when using the proxygen server to handle HTTP2 requests.
AI Analysis
Technical Summary
CVE-2018-6335 is a high-severity denial-of-service (DoS) vulnerability affecting Facebook's HHVM (HipHop Virtual Machine) versions 3.25.3, 3.25.0, 3.24.7, 3.22.0, 3.21.11, and earlier. HHVM is a virtual machine designed to execute programs written in PHP and Hack languages, often used to improve performance of PHP applications. The vulnerability arises from improper handling of malformed HTTP/2 frames within the proxygen server component, which HHVM uses to handle HTTP/2 requests. Specifically, when a malformed HTTP/2 frame containing priority metadata is parsed, it triggers a std::out_of_range exception due to invalid indexing or data access. This exception is unhandled and causes the HHVM process to crash, resulting in denial of service. The vulnerability is exploitable remotely without authentication or user interaction, as an attacker can send crafted HTTP/2 requests to the server. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability (no confidentiality or integrity impact). No known exploits in the wild have been reported, but the vulnerability poses a risk to any HHVM deployment exposed to HTTP/2 traffic. Since HHVM is used in web server environments, successful exploitation can disrupt web services by crashing the server process, leading to downtime and potential service unavailability.
Potential Impact
For European organizations using HHVM to serve PHP or Hack-based web applications, this vulnerability can cause significant service disruptions. The denial-of-service condition can be triggered remotely by unauthenticated attackers, potentially leading to repeated crashes and downtime of critical web services. This can affect customer-facing portals, internal applications, or APIs relying on HHVM, resulting in loss of availability and business continuity issues. Organizations in sectors such as finance, e-commerce, government, and healthcare, which rely heavily on web services, may experience operational impact and reputational damage. Additionally, prolonged downtime could lead to regulatory non-compliance if service availability is mandated. Since the vulnerability does not affect confidentiality or integrity, data breaches are unlikely, but service reliability is compromised. The lack of known exploits reduces immediate risk, but the ease of exploitation and public disclosure increase the likelihood of future attacks, especially if patches are not applied promptly.
Mitigation Recommendations
European organizations should prioritize upgrading HHVM to versions beyond those affected (above 3.25.3) where this vulnerability is fixed. If immediate upgrade is not feasible, organizations should consider disabling HTTP/2 support in proxygen or placing HHVM behind a hardened reverse proxy or web application firewall (WAF) that can detect and block malformed HTTP/2 frames. Implementing rate limiting and anomaly detection on HTTP/2 traffic can help mitigate exploitation attempts. Monitoring HHVM logs for std::out_of_range exceptions or unexpected crashes can provide early warning of attempted exploitation. Network segmentation and limiting exposure of HHVM servers to trusted networks can reduce attack surface. Regular vulnerability scanning and patch management processes should include HHVM components to ensure timely updates. Finally, organizations should test their incident response plans for DoS scenarios to minimize downtime impact.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2018-6335: Denial of Service (CWE-400) in Facebook HHVM
Description
A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. This behavior can lead to denial-of-service. This affects all supported versions of HHVM (3.25.2, 3.24.6, and 3.21.10 and below) when using the proxygen server to handle HTTP2 requests.
AI-Powered Analysis
Technical Analysis
CVE-2018-6335 is a high-severity denial-of-service (DoS) vulnerability affecting Facebook's HHVM (HipHop Virtual Machine) versions 3.25.3, 3.25.0, 3.24.7, 3.22.0, 3.21.11, and earlier. HHVM is a virtual machine designed to execute programs written in PHP and Hack languages, often used to improve performance of PHP applications. The vulnerability arises from improper handling of malformed HTTP/2 frames within the proxygen server component, which HHVM uses to handle HTTP/2 requests. Specifically, when a malformed HTTP/2 frame containing priority metadata is parsed, it triggers a std::out_of_range exception due to invalid indexing or data access. This exception is unhandled and causes the HHVM process to crash, resulting in denial of service. The vulnerability is exploitable remotely without authentication or user interaction, as an attacker can send crafted HTTP/2 requests to the server. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability (no confidentiality or integrity impact). No known exploits in the wild have been reported, but the vulnerability poses a risk to any HHVM deployment exposed to HTTP/2 traffic. Since HHVM is used in web server environments, successful exploitation can disrupt web services by crashing the server process, leading to downtime and potential service unavailability.
Potential Impact
For European organizations using HHVM to serve PHP or Hack-based web applications, this vulnerability can cause significant service disruptions. The denial-of-service condition can be triggered remotely by unauthenticated attackers, potentially leading to repeated crashes and downtime of critical web services. This can affect customer-facing portals, internal applications, or APIs relying on HHVM, resulting in loss of availability and business continuity issues. Organizations in sectors such as finance, e-commerce, government, and healthcare, which rely heavily on web services, may experience operational impact and reputational damage. Additionally, prolonged downtime could lead to regulatory non-compliance if service availability is mandated. Since the vulnerability does not affect confidentiality or integrity, data breaches are unlikely, but service reliability is compromised. The lack of known exploits reduces immediate risk, but the ease of exploitation and public disclosure increase the likelihood of future attacks, especially if patches are not applied promptly.
Mitigation Recommendations
European organizations should prioritize upgrading HHVM to versions beyond those affected (above 3.25.3) where this vulnerability is fixed. If immediate upgrade is not feasible, organizations should consider disabling HTTP/2 support in proxygen or placing HHVM behind a hardened reverse proxy or web application firewall (WAF) that can detect and block malformed HTTP/2 frames. Implementing rate limiting and anomaly detection on HTTP/2 traffic can help mitigate exploitation attempts. Monitoring HHVM logs for std::out_of_range exceptions or unexpected crashes can provide early warning of attempted exploitation. Network segmentation and limiting exposure of HHVM servers to trusted networks can reduce attack surface. Regular vulnerability scanning and patch management processes should include HHVM components to ensure timely updates. Finally, organizations should test their incident response plans for DoS scenarios to minimize downtime impact.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Date Reserved
- 2018-01-26T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981bc4522896dcbda075
Added to database: 5/21/2025, 9:08:43 AM
Last enriched: 7/3/2025, 7:55:45 AM
Last updated: 7/30/2025, 11:10:08 AM
Views: 8
Related Threats
CVE-2025-9060: CWE-20 Improper Input Validation in MSoft MFlash
CriticalCVE-2025-8675: CWE-918 Server-Side Request Forgery (SSRF) in Drupal AI SEO Link Advisor
MediumCVE-2025-8362: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal GoogleTag Manager
MediumCVE-2025-8361: CWE-962 Missing Authorization in Drupal Config Pages
HighCVE-2025-8092: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal COOKiES Consent Management
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.