per-chunk-amplification wiki

55 pages in this category

HTTP

chunkloris: actix-web (h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. actix-web (h2c) 4.x. verdict: batches correctly.

[http] [h2] [rust] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: actix-web

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. actix-web 4.x. verdict: vulnerable per chunk.

[http] [h1] [rust] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: aioquic HTTP/3 example-style server

May 22, 2026 • updated

HTTP/3 DATA frames over QUIC. aioquic HTTP/3 example-style server aioquic 1.3.0. verdict: vulnerable per frame.

[http] [h3] [python] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: axum (on hyper)

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. axum (on hyper) 0.7 / hyper 1.x. verdict: vulnerable per chunk.

[http] [h1] [rust] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: bandit (h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. bandit (h2c) 1.11.1. verdict: vulnerable per frame.

[http] [h2] [beam] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: bandit

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. bandit 1.11.1. verdict: vulnerable per chunk.

[http] [h1] [beam] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: cowboy (h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. cowboy (h2c) 2.15.0 (cowlib 2.16.1, ranch 2.2.0). verdict: protected h2 goaway.

[http] [h2] [beam] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: cowboy

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. cowboy 2.15.0 (cowlib 2.16.1, ranch 2.2.0). verdict: vulnerable per chunk.

[http] [h1] [beam] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: daphne

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. daphne 4.x. verdict: vulnerable per chunk.

[http] [h1] [python] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: Kestrel ASP.NET Core WebSockets

May 22, 2026 • updated

WebSocket text frames. Kestrel ASP.NET Core WebSockets ASP.NET Core 9.0 (mcr.microsoft.com/dotnet/aspnet:9.0); Microsoft.AspNetCore.WebSockets. verdict: batches correctly.

[http] [ws] [dotnet] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: express

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. express 5.2.1. verdict: vulnerable per chunk.

[http] [h1] [node] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: falcon (h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. falcon (h2c) 0.49.0. verdict: vulnerable per frame.

[http] [h2] [ruby] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: falcon (on async-http / protocol-http1)

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. falcon (on async-http / protocol-http1) 0.49.0. verdict: vulnerable per chunk.

[http] [h1] [ruby] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: fastify (h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. fastify (h2c) 5.8.5. verdict: vulnerable per frame.

[http] [h2] [node] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: fastify

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. fastify 5.x. verdict: vulnerable per chunk.

[http] [h1] [node] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: gin

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. gin 1.10.1. verdict: vulnerable per chunk.

[http] [h1] [go] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: gorilla/websocket

May 22, 2026 • updated

WebSocket text frames. gorilla/websocket v1.5.3 on go 1.23. verdict: batches correctly.

[http] [ws] [go] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: Go net/http + golang.org/x/net/http2 (h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. Go net/http + golang.org/x/net/http2 (h2c) go 1.23 + x/net v0.30. verdict: vulnerable per frame.

[http] [h2] [go] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: net/http (stdlib)

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. net/http (stdlib) go-1.23.12. verdict: vulnerable per chunk.

[http] [h1] [go] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: quic-go HTTP/3

May 22, 2026 • updated

HTTP/3 DATA frames over QUIC. quic-go HTTP/3 quic-go v0.54.0. verdict: vulnerable per frame.

[http] [h3] [go] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: granian (ASGI h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. granian (ASGI h2c) 1.7.6. verdict: vulnerable per frame.

[http] [h2] [python] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: granian

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. granian 1.x. verdict: vulnerable per chunk.

[http] [h1] [python] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: gunicorn

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. gunicorn 23.0.0. verdict: vulnerable per chunk.

[http] [h1] [python] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: HAProxy (h2c frontend)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. HAProxy (h2c frontend) 3.0.23. verdict: vulnerable per frame.

[http] [h2] [c] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: HAProxy (with Lua applet for body sink)

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. HAProxy (with Lua applet for body sink) 3.0.23. verdict: vulnerable per chunk.

[http] [h1] [c] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: http/1 vs http/2 vs http/3

May 22, 2026 • updated

how the per-chunk amplification shape changes (and does not change) across http/1.1 chunked transfer encoding, http/2 data frames, and http/3 data frames over quic

[http] [http1] [http2] [http3] [quic] +4 more
chunkloris: Apache httpd mod_http2 (h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. Apache httpd mod_http2 (h2c) 2.4.67. verdict: vulnerable per frame.

[http] [h2] [c] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: Apache httpd (event MPM + mod_lua)

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. Apache httpd (event MPM + mod_lua) 2.4.67. verdict: vulnerable per chunk.

[http] [h1] [c] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: hypercorn

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. hypercorn 0.17.3. verdict: vulnerable per chunk.

[http] [h1] [python] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: hypercorn

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. hypercorn 0.17.3. verdict: vulnerable per frame.

[http] [h2] [python] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: hypercorn (HTTP/3)

May 22, 2026 • updated

HTTP/3 DATA frames over QUIC. hypercorn (HTTP/3) 0.17.3 + aioquic 1.3.0. verdict: vulnerable per frame.

[http] [h3] [python] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: Kestrel

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. Kestrel 9.0 (Microsoft.AspNetCore 9.0; bundled in mcr.microsoft.com/dotnet/aspnet:9.0). verdict: batches correctly.

[http] [h1] [dotnet] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: Kestrel (ASP.NET Core 9, h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. Kestrel (ASP.NET Core 9, h2c) 9.0. verdict: vulnerable per frame.

[http] [h2] [dotnet] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: Kestrel (ASP.NET Core 9, HTTP/3)

May 22, 2026 • updated

HTTP/3 DATA frames over QUIC. Kestrel (ASP.NET Core 9, HTTP/3) ASP.NET Core 9.0 + MsQuic. verdict: vulnerable per frame.

[http] [h3] [dotnet] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: nginx/openresty (h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. nginx/openresty (h2c) 1.29.2.3 / openresty:alpine. verdict: vulnerable per frame.

[http] [h2] [c] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: nginx (openresty distribution)

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. nginx (openresty distribution) 1.29.2.3 / openresty:alpine. verdict: vulnerable per chunk.

[http] [h1] [c] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: node http2 (native)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. node http2 (native) node-22. verdict: vulnerable per frame.

[http] [h2] [node] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: node http.Server (built-in)

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. node http.Server (built-in) node-22.22.3. verdict: vulnerable per chunk.

[http] [h1] [node] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: ws (Node)

May 22, 2026 • updated

WebSocket text frames. ws (Node) ws 8.18.0 on node 22-slim. verdict: batches correctly.

[http] [ws] [node] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: phoenix on cowboy (h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. phoenix on cowboy (h2c) Phoenix 1.8.7 / plug_cowboy 2.8.1 / cowboy 2.15.0. verdict: protected h2 goaway.

[http] [h2] [beam] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: phoenix

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. phoenix 1.7 on plug_cowboy 2.7 / cowboy 2.15.0. verdict: vulnerable per chunk.

[http] [h1] [beam] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: puma

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. puma 6.4.3. verdict: vulnerable per chunk.

[http] [h1] [ruby] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: uvicorn (websockets impl)

May 22, 2026 • updated

WebSocket text frames. uvicorn (websockets impl) uvicorn 0.32.1, websockets 13.1, starlette 0.41.3. verdict: vulnerable per frame.

[http] [ws] [python] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: uvicorn (wsproto impl)

May 22, 2026 • updated

WebSocket text frames. uvicorn (wsproto impl) uvicorn 0.32.1, wsproto 1.2.0, starlette 0.41.3. verdict: vulnerable per frame.

[http] [ws] [python] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: hyper 1.5 + h2 0.4 (h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. hyper 1.5 + h2 0.4 (h2c) hyper 1.5 / h2 0.4. verdict: batches correctly.

[http] [h2] [rust] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: tokio-tungstenite

May 22, 2026 • updated

WebSocket text frames. tokio-tungstenite 0.24 on rust 1.83. verdict: batches correctly.

[http] [ws] [rust] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: Spring Boot + Tomcat

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. Spring Boot + Tomcat spring-boot-3.3.5 / tomcat-10.1. verdict: vulnerable per chunk.

[http] [h1] [jvm] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: Spring Boot + Tomcat (h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. Spring Boot + Tomcat (h2c) spring-boot-3.3.5 / tomcat-10.1. verdict: protected h2 goaway.

[http] [h2] [jvm] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: tornado

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. tornado 6.4.2. verdict: vulnerable per chunk.

[http] [h1] [python] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: unicorn

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. unicorn 6.1.0. verdict: vulnerable per chunk.

[http] [h1] [ruby] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: uvicorn

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. uvicorn 0.32.1. verdict: vulnerable per chunk.

[http] [h1] [python] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: uvicorn

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. uvicorn 0.32.1. verdict: vulnerable per chunk.

[http] [h1] [python] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: Vert.x 4.5 (Netty h2c)

May 22, 2026 • updated

HTTP/2 (h2c) DATA frames. Vert.x 4.5 (Netty h2c) 4.5.10. verdict: batches correctly.

[http] [h2] [jvm] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: Vert.x

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. Vert.x 4.5.10. verdict: vulnerable per chunk.

[http] [h1] [jvm] [chunkloris] [per-chunk-amplification] +1 more
chunkloris: waitress

May 22, 2026 • updated

HTTP/1.1 chunked transfer encoding. waitress 3.0.2. verdict: vulnerable per chunk.

[http] [h1] [python] [chunkloris] [per-chunk-amplification] +1 more