CVE-2025-57804 is a medium severity vulnerability affecting the python-hyper project's h2 library, a pure-Python implementation of the HTTP/2 protocol stack. The vulnerability is classified under CWE-93, which involves improper neutralization of CRLF (Carriage Return Line Feed) sequences, commonly known as CRLF injection. Specifically, versions of h2 prior to 4.3.0 are vulnerable to an HTTP/2 request splitting attack. This occurs when an attacker injects CRLF characters into HTTP/2 headers. When a server downgrades HTTP/2 requests to HTTP/1.1 without proper validation of header names and values, the injected CRLF sequences can manipulate the request boundaries. This manipulation enables attackers to perform HTTP request smuggling attacks, which can bypass security controls such as firewalls, intrusion detection systems, and application logic that rely on correct request parsing. The vulnerability does not require authentication, user interaction, or privileges, and can be exploited remotely over the network. The CVSS v4.0 score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no required privileges or user interaction. The vulnerability has been patched in h2 version 4.3.0, but no known exploits are currently reported in the wild. Organizations using python-hyper h2 versions prior to 4.3.0 in their HTTP/2 implementations are at risk of this vulnerability, particularly if their infrastructure involves HTTP/2 to HTTP/1.1 downgrading proxies or servers that do not properly sanitize headers.

For European organizations, this vulnerability poses a risk to web services and APIs relying on the python-hyper h2 library for HTTP/2 communication. Exploitation could allow attackers to smuggle HTTP requests, potentially bypassing security controls, leading to unauthorized access, session hijacking, cache poisoning, or web application firewall evasion. This can compromise confidentiality, integrity, and availability of web applications. Industries with high reliance on web services, such as finance, healthcare, e-commerce, and government, may face increased risk. Additionally, the vulnerability could be leveraged in multi-stage attacks targeting critical infrastructure or sensitive data. Since the attack requires no authentication and can be performed remotely, the threat surface is broad. However, the absence of known exploits in the wild and the medium severity score suggest the immediate risk is moderate but should not be underestimated, especially in environments where HTTP/2 to HTTP/1.1 downgrading occurs without strict header validation.

European organizations should immediately audit their use of the python-hyper h2 library and identify any deployments running versions prior to 4.3.0. Upgrading to version 4.3.0 or later is the primary and most effective mitigation. Additionally, organizations should review their HTTP/2 to HTTP/1.1 downgrade mechanisms, ensuring that header validation and sanitization are robust to prevent CRLF injection. Web servers, proxies, and load balancers should be configured to reject or properly handle suspicious header sequences. Implementing strict input validation and employing security controls that detect and block request smuggling attempts can further reduce risk. Network monitoring for anomalous HTTP traffic patterns indicative of request smuggling should be enhanced. Finally, organizations should maintain up-to-date threat intelligence and apply security patches promptly to minimize exposure.