Cowboy 2.12.0 has been released!

Cowboy 2.12 contains a fix for a security vulnerability in the HTTP/2 protocol implementation that has recently been made public: HTTP/2 CONTINUATION Flood.

Cowboy adds a new HTTP/2 option max_fragmented_header_block_size to control how much data is accepted in CONTINUATION frames before an error is triggered.

Cowboy 2.12 was produced and released a few weeks ago, as a result of advance knowledge of this vulnerability. If you already upgraded, you are safe! If not, please upgrade as soon as possible.

Both Cowboy and Cowlib must be upgraded. Cowlib 2.13 has been produced for this fix. This is a minor release and not a patch release only because of the newly added option.

Cowboy 2.12 requires Erlang/OTP 24.0 or greater. It is tested and supported on Linux, macOS and Windows.

A complete list of changes can be found in the migration guide: Migrating from Cowboy 2.11 to 2.12.

You can donate to this project via GitHub Sponsors.

As usual, feedback is appreciated, and issues or questions should be sent via Github tickets or discussions. Thanks!