Security Release

This release fixes a server-side HTTP/2 vulnerability in the Psl\H2 component (GHSA-pw9p-jvrm-f7rm).

Impact

Psl\H2\ServerConnection did not validate that the total bytes received in HTTP/2 DATA frames matched the content-length header declared in the initial HEADERS frame, in violation of RFC 9113 §8.1.1 and §8.1.2.6. #777

A malicious client could:

• Send more DATA bytes than declared, smuggling additional content past application-level size limits.
• Send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly.

This affects consumers using Psl\H2\ServerConnection directly to accept untrusted client traffic. Consumers of documented high-level PSL APIs are not affected.

Patches

• Parses and validates content-length on server-side HEADERS receive (RFC 9110 §8.6: must be a non-negative decimal integer).
• Tracks cumulative DATA frame payload length per stream.
• Throws Psl\H2\Exception\StreamException on mismatch or overflow.

Client-side validation is intentionally not performed, as RFC 9110 §9.3.2 permits HEAD responses to declare content-length without sending DATA.

Additional fixes

• Psl\H2\ConnectionTrait::waitForSendWindow() now flushes pending buffered writes before suspending. Without this, frames written inside a buffered() block never reach the wire, and a peer that only sends WINDOW_UPDATE after seeing our DATA would deadlock.

Upgrade

composer require php-standard-library/psl:^6.2.1

Credit

Discovered during internal review prior to public exploitation.