CVE-2023-26044: 
PHP vulnerability analysis and mitigation

ReactPHP's HTTP server component (react/http) contains a potential Denial of Service (DoS) vulnerability (CVE-2023-26044) that affects versions from 0.8.0 to versions prior to 1.9.0. The vulnerability was discovered and disclosed on May 17, 2023, affecting the HTTP server's request body processing functionality (GitHub Advisory).

The vulnerability exists in the HTTP server's multipart request body processing mechanism. When explicitly using the RequestBodyBufferMiddleware with very large settings, the server continues parsing unused multipart parts after reaching configured limits. This behavior can lead to excessive CPU consumption during request processing. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD).

When exploited, this vulnerability can cause high CPU load when processing large HTTP request bodies, potentially leading to significant delays or slowdowns in processing legitimate user requests. The impact is particularly notable when the RequestBodyBufferMiddleware is configured with very large settings, though it has minimal impact on default configurations (GitHub Advisory).

The vulnerability has been patched in version 1.9.0 of the react/http package. For users unable to upgrade immediately, two workarounds are available: 1) Keep the request body limit using RequestBodyBufferMiddleware at a sensible value, and 2) Place a reverse proxy in front of the ReactPHP HTTP server to filter out excessive HTTP request bodies (GitHub Advisory).