The vulnerability in PHP Standard Library's HTTP/2 server-side component (Psl\H2\ServerConnection) arises from missing validation that the cumulative DATA frame payload length matches the content-length header declared in the HEADERS frame, contrary to RFC 9113 §8.1.1. This flaw enables a malicious client to send more DATA bytes than declared, bypassing application-level size limits, or fewer bytes and close the stream early, causing misbehavior in applications trusting the declared length. The issue is limited to direct use of Psl\H2\ServerConnection for untrusted traffic; the higher-level Psl\HTTP\Server was not released at the time and is unaffected. The vulnerability is fixed in versions 6.1.2 and 6.2.1 by adding parsing and validation of content-length headers, tracking DATA frame payload length per stream, and throwing exceptions on mismatches. No protocol-layer workarounds exist, so upgrading is required.

A malicious client can exploit this vulnerability to smuggle additional content past application-level size limits by sending more DATA bytes than declared, or cause applications to behave incorrectly by sending fewer DATA bytes and closing the stream early. This can lead to request smuggling attacks or logic errors in applications relying on the declared content-length header. The vulnerability does not impact users of the high-level PSL HTTP server APIs. There is no indication of known exploits in the wild.

A fix is available in PHP Standard Library versions 6.1.2 and 6.2.1. These versions implement proper parsing and validation of the content-length header on incoming HEADERS frames, track cumulative DATA frame payload length per stream, and throw exceptions on mismatches or overflow. Applications using Psl\H2\ServerConnection directly to accept untrusted client traffic should upgrade to these fixed versions. No protocol-layer workarounds exist.