CVE-2025-57804 is a medium-severity vulnerability affecting versions of the python-hyper h2 library prior to 4.3.0. The h2 library is a pure-Python implementation of the HTTP/2 protocol stack, widely used in Python applications and frameworks to handle HTTP/2 connections. The vulnerability arises from improper neutralization of CRLF (Carriage Return Line Feed) sequences in HTTP/2 headers, classified under CWE-93. Specifically, when an HTTP/2 request is downgraded to HTTP/1.1 by a server or intermediary, the h2 library versions before 4.3.0 do not adequately validate or sanitize header names and values. This allows an attacker to inject CRLF characters into headers, effectively enabling HTTP request splitting or request smuggling attacks. Such attacks manipulate the boundaries between HTTP requests, allowing attackers to bypass security controls, poison web caches, or perform cross-user attacks by injecting malicious requests that the server treats as separate. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 6.9 (medium), reflecting the network attack vector, low attack complexity, and no privileges or user interaction required. No known exploits are currently reported in the wild. The issue was patched in h2 version 4.3.0, which properly sanitizes header inputs to prevent CRLF injection during HTTP/2 to HTTP/1.1 downgrades.

For European organizations, this vulnerability poses a significant risk especially for those relying on Python-based web servers, proxies, or frameworks that use the h2 library for HTTP/2 support. Exploitation could lead to HTTP request smuggling attacks, which can bypass security controls such as web application firewalls (WAFs), cause cache poisoning, session hijacking, or unauthorized access to sensitive data. This undermines confidentiality and integrity of web communications and can disrupt availability by confusing backend systems or triggering erroneous responses. Organizations in sectors with high web traffic and sensitive data handling—such as finance, healthcare, e-commerce, and government—are particularly at risk. The vulnerability's exploitation does not require authentication, increasing the attack surface. Given the widespread adoption of HTTP/2 and Python in web infrastructure, the impact can be broad if vulnerable versions remain in use. However, the absence of known exploits in the wild suggests a window for proactive mitigation.

1. Immediate upgrade of the python-hyper h2 library to version 4.3.0 or later in all affected systems to ensure the vulnerability is patched. 2. Conduct an inventory of all Python applications and services that use the h2 library to identify vulnerable deployments. 3. Implement strict input validation and sanitization on HTTP headers at the application and proxy layers to detect and block CRLF injection attempts. 4. Deploy or update web application firewalls (WAFs) and intrusion detection/prevention systems (IDS/IPS) with rules specifically targeting HTTP request smuggling and CRLF injection patterns. 5. Monitor HTTP traffic logs for anomalies indicative of request splitting or smuggling attacks, such as unexpected header sequences or duplicated requests. 6. For critical environments, consider isolating or restricting HTTP/2 to HTTP/1.1 downgrades where possible, or enforce consistent protocol handling to reduce downgrade attack vectors. 7. Educate development and operations teams about the risks of HTTP header injection and ensure secure coding practices around HTTP/2 handling.