CVE-2018-6335 in HHVM
Summary
by MITRE
A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. This behavior can lead to denial-of-service. This affects all supported versions of HHVM (3.25.2, 3.24.6, and 3.21.10 and below) when using the proxygen server to handle HTTP2 requests.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/06/2025
The vulnerability described in CVE-2018-6335 represents a critical denial-of-service weakness within HHVM's HTTP/2 implementation that stems from improper handling of malformed priority metadata within HTTP/2 frames. This issue specifically impacts the proxygen server component of HHVM, which serves as the HTTP/2 request handler for the platform. The flaw manifests when the system encounters a malformed h2 frame containing invalid priority metadata, triggering a std::out_of_range exception during the parsing process. This exception occurs within the standard C++ library's exception handling mechanisms, indicating that the vulnerability exists in the core parsing logic rather than in application-level code. The affected versions include HHVM 3.25.2, 3.24.6, and all versions prior to 3.21.10, demonstrating that this issue has persisted across multiple release lines and affects the broader HHVM ecosystem.
The technical root cause of this vulnerability lies in the insufficient bounds checking and input validation performed during HTTP/2 frame processing. When the proxygen server receives an HTTP/2 frame with malformed priority information, the parsing routine attempts to access memory locations or array indices that exceed the valid range of the allocated data structures. This type of error falls under CWE-129, which specifically addresses insufficient bounds checking for buffer access, and CWE-682, which covers incorrect arithmetic operations that can lead to buffer overflows. The standard library's std::out_of_range exception is thrown when the parsing code attempts to access data beyond the expected boundaries, causing the application to terminate abruptly. This behavior represents a classic example of a resource exhaustion vulnerability where the system's normal processing flow is disrupted by malformed input rather than being properly handled through graceful error recovery mechanisms.
The operational impact of this vulnerability extends beyond simple service disruption to potentially enable attackers to systematically destabilize HHVM-based web applications and services. An attacker could craft malicious HTTP/2 requests containing specially formatted priority metadata that would consistently trigger the std::out_of_range exception, resulting in repeated service interruptions and application crashes. This makes the vulnerability particularly dangerous in high-availability environments where continuous uptime is critical. The denial-of-service nature of the exploit means that legitimate users would experience service interruptions while the system attempts to process these malformed requests. The vulnerability affects the entire HTTP/2 request processing pipeline, making it a systemic weakness rather than an isolated component failure. From an attacker's perspective, this represents a low-effort, high-impact method of service disruption, as the malformed frame can be constructed with minimal complexity while producing significant operational consequences.
Mitigation strategies for CVE-2018-6335 should focus on both immediate patching and defensive architectural approaches. The primary solution involves upgrading to HHVM versions that have addressed this specific vulnerability, as the issue has been resolved in subsequent releases through improved input validation and bounds checking mechanisms. Organizations should also implement network-level protections such as HTTP/2 request filtering and rate limiting to reduce the impact of potential attacks. Additionally, implementing proper exception handling and circuit breaker patterns within the application layer can help prevent cascading failures when malformed requests are processed. Security teams should consider deploying intrusion detection systems that can identify and block suspicious HTTP/2 traffic patterns associated with this vulnerability. The ATT&CK framework's T1499.004 technique for network denial-of-service should be considered when developing defensive strategies, as this vulnerability represents a clear example of how malformed input can be weaponized for service disruption. Organizations should also implement comprehensive logging and monitoring to detect when such exceptions occur in production environments, enabling rapid response to potential exploitation attempts.