← back
CVE-2023-44487

CVE-2023-44487

CVSS 7.5 HIGHEPSS 100.0%● KEVCWE-400
In short

HTTP/2 allows attackers to crash or disable web servers by sending many cancellation requests that consume server resources. This vulnerability was actively exploited against real websites in 2023.

Technical detail

HTTP/2 stream cancellation (RST_STREAM frames) can be abused to rapidly reset multiple streams, causing excessive CPU and memory consumption on servers. The attack requires network access to send crafted HTTP/2 frames and results in denial of service; affected servers experienced resource exhaustion without authentication requirements.

Summary generated and translated by AI from the official description.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
n/a · n/a
public PoCs found25
githubgithub.com/bcdannyboy/CVE-2023-44487245githubgithub.com/secengjeff/rapidresetclient75githubgithub.com/Appsynergy-io/CVE-2023-4448756githubgithub.com/studiogangster/CVE-2023-4448721githubgithub.com/nxenon/cve-2023-4448714githubgithub.com/threatlabindonesia/CVE-2023-44487-HTTP-2-Rapid-Reset-Exploit-PoC8githubgithub.com/ndrscodes/http2-rst-stream-attacker6githubgithub.com/ReToCode/golang-CVE-2023-444872githubgithub.com/moften/CVE-2023-44487-HTTP-2-Rapid-Reset-Attack2githubgithub.com/tpirate/cve-2023-44487-POC2githubgithub.com/zanks08/cve-2023-44487-demo1githubgithub.com/aulauniversal/CVE-2023-444871githubgithub.com/ByteHackr/CVE-2023-444870githubgithub.com/BMG-Black-Magic/CVE-2023-444870githubgithub.com/madhantr0/http2-security-lab0githubgithub.com/madhusudhan-in/CVE_2023_44487-Rapid_Reset0githubgithub.com/sigridou/CVE-2023-44487-0githubgithub.com/sn130hk/CVE-2023-444870githubgithub.com/TYuan0816/cve-2023-444870githubgithub.com/ReGeLePuMa/HTTP-2-Rapid-Reset-DDos0githubgithub.com/sastraadiwiguna-purpleeliteteaming/DDoS-Purple-Teaming-Offensive-Multi-Vector-7-Tier-Defensive-Holistic-Blueprint-0githubgithub.com/TLevente20/HTTP-2-RapidReset-CVE-2023-44487-Testlab0githubgithub.com/Hirokiii/CVE-2023-444870githubgithub.com/pabloec20/rapidreset0exploitdbwww.exploit-db.com/exploits/52426unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://access.redhat.com/security/cve/cve-2023-44487https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/https://aws.amazon.com/security/security-bulletins/AWS-2023-011/https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attackhttps://blog.vespa.ai/cve-2023-44487/https://bugzilla.proxmox.com/show_bug.cgi?id=4988https://bugzilla.redhat.com/show_bug.cgi?id=2242803https://bugzilla.suse.com/show_bug.cgi?id=1216123https://cert-portal.siemens.com/productcert/html/ssa-082556.html