CVE-2023-44487

Known Exploited Public Exploit

Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 94.50% Top 5%
KEV Since 
Vendor Advisory debian.org Vendor Advisory debian.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory debian.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory debian.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory debian.org Vendor Advisory gentoo.org Vendor Advisory debian.org Vendor Advisory redhat.com Vendor Advisory cloudflare.com Vendor Advisory cloudflare.com Vendor Advisory litespeedtech.com Vendor Advisory vespa.ai Vendor Advisory redhat.com Vendor Advisory suse.com Vendor Advisory freebsd.org Vendor Advisory google.com Vendor Advisory google.com Vendor Advisory traefik.io Vendor Advisory swift.org Vendor Advisory github.com Vendor Advisory github.com Vendor Advisory github.com Vendor Advisory github.com Vendor Advisory github.com Vendor Advisory github.com Vendor Advisory github.com Vendor Advisory google.com Vendor Advisory istio.io Vendor Advisory linkerd.io Vendor Advisory microsoft.com Vendor Advisory microsoft.com Vendor Advisory f5.com Vendor Advisory netty.io Vendor Advisory paloaltonetworks.com Vendor Advisory ubuntu.com Vendor Advisory haproxy.com Vendor Advisory netlify.com Vendor Advisory nginx.com
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73 product release notes
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ vendor advisory technical description
https://aws.amazon.com/security/security-bulletins/AWS-2023-011/ third party advisory
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack vendor advisory technical description
https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ mitigation vendor advisory
https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/ vendor advisory technical description
https://news.ycombinator.com/item?id=37831062 issue tracking
https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/ third party advisory vendor advisory
https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack press/media coverage
https://github.com/envoyproxy/envoy/pull/30055 patch issue tracking
https://github.com/haproxy/haproxy/issues/2312 issue tracking
https://github.com/eclipse/jetty.project/issues/10679 issue tracking
https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764 vendor advisory
https://github.com/nghttp2/nghttp2/pull/1961 patch issue tracking
https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 patch
https://github.com/alibaba/tengine/issues/1872 issue tracking
https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2 product third party advisory
https://news.ycombinator.com/item?id=37830987 issue tracking
https://news.ycombinator.com/item?id=37830998 issue tracking press/media coverage
https://github.com/caddyserver/caddy/issues/5877 vendor advisory issue tracking
https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/ third party advisory
https://github.com/bcdannyboy/CVE-2023-44487 third party advisory
https://github.com/grpc/grpc-go/pull/6703 patch issue tracking
https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244 product
https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0 release notes
https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html patch mailing list third party advisory
https://my.f5.com/manage/s/article/K000137106 vendor advisory
https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/ patch vendor advisory
https://bugzilla.proxmox.com/show_bug.cgi?id=4988 third party advisory issue tracking
https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9 patch vendor advisory mailing list
http://www.openwall.com/lists/oss-security/2023/10/10/7 third party advisory mailing list
http://www.openwall.com/lists/oss-security/2023/10/10/6 third party advisory mailing list
https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected third party advisory
https://github.com/microsoft/CBL-Mariner/pull/6381 patch issue tracking
https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo vendor advisory mailing list release notes
https://github.com/facebook/proxygen/pull/466 patch issue tracking
https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088 patch issue tracking
https://github.com/micrictor/http2-rst-stream third party advisory exploit
https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve third party advisory technical description
https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/ third party advisory
https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf vendor advisory
https://github.com/h2o/h2o/pull/3291 patch issue tracking
https://github.com/nodejs/node/pull/50121 issue tracking
https://github.com/dotnet/announcements/issues/277 vendor advisory mitigation issue tracking
https://github.com/golang/go/issues/63417 issue tracking
https://github.com/advisories/GHSA-vx74-f528-fxqg patch vendor advisory mitigation
https://github.com/apache/trafficserver/pull/10564 patch issue tracking
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487 patch vendor advisory mitigation
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14 release notes
https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q mailing list
https://www.openwall.com/lists/oss-security/2023/10/10/6 third party advisory mailing list
https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487 third party advisory vendor advisory
https://github.com/opensearch-project/data-prepper/issues/3474 patch issue tracking
https://github.com/kubernetes/kubernetes/pull/121120 patch issue tracking
https://github.com/oqtane/oqtane.framework/discussions/3367 issue tracking
https://github.com/advisories/GHSA-xpw8-rcwv-8f8p patch vendor advisory
https://netty.io/news/2023/10/10/4-1-100-Final.html release notes vendor advisory
https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487 third party advisory us government resource
https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/ third party advisory press/media coverage
https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack third party advisory press/media coverage
https://news.ycombinator.com/item?id=37837043 issue tracking
https://github.com/kazu-yamamoto/http2/issues/93 issue tracking
https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html third party advisory
https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1 patch
https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113 product
https://www.debian.org/security/2023/dsa-5522 vendor advisory mailing list
https://www.debian.org/security/2023/dsa-5521 vendor advisory mailing list
https://access.redhat.com/security/cve/cve-2023-44487 vendor advisory
https://github.com/ninenines/cowboy/issues/1615 issue tracking
https://github.com/varnishcache/varnish-cache/issues/3996 issue tracking
https://github.com/tempesta-tech/tempesta/issues/1986 issue tracking
https://blog.vespa.ai/cve-2023-44487/ vendor advisory
https://github.com/etcd-io/etcd/issues/16740 patch issue tracking
https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event third party advisory press/media coverage
https://istio.io/latest/news/security/istio-security-2023-004/ vendor advisory
https://github.com/junkurihara/rust-rpxy/issues/97 issue tracking
https://bugzilla.suse.com/show_bug.cgi?id=1216123 vendor advisory issue tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2242803 vendor advisory issue tracking
https://ubuntu.com/security/CVE-2023-44487 vendor advisory
https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125 vendor advisory
https://github.com/advisories/GHSA-qppj-fm5r-hxr3 vendor advisory
https://github.com/apache/httpd-site/pull/10 issue tracking
https://github.com/projectcontour/contour/pull/5826 patch issue tracking
https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632 patch
https://github.com/line/armeria/pull/5232 patch issue tracking
https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/ vendor advisory
https://security.paloaltonetworks.com/CVE-2023-44487 vendor advisory
https://github.com/akka/akka-http/issues/4323 issue tracking
https://github.com/openresty/openresty/issues/930 issue tracking
https://github.com/apache/apisix/issues/10320 issue tracking
https://github.com/Azure/AKS/issues/3947 issue tracking
https://github.com/Kong/kong/discussions/11741 issue tracking
https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487 vendor advisory
https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/ vendor advisory
https://github.com/caddyserver/caddy/releases/tag/v2.7.5 third party advisory release notes
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html third party advisory mailing list
http://www.openwall.com/lists/oss-security/2023/10/13/4 third party advisory mailing list
http://www.openwall.com/lists/oss-security/2023/10/13/9 third party advisory mailing list
https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/ third party advisory press/media coverage
https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html third party advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/ vendor advisory mailing list
https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/ vendor advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html mailing list
https://security.netapp.com/advisory/ntap-20231016-0001/ third party advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html mailing list
http://www.openwall.com/lists/oss-security/2023/10/18/4 third party advisory mailing list
http://www.openwall.com/lists/oss-security/2023/10/18/8 third party advisory mailing list
http://www.openwall.com/lists/oss-security/2023/10/19/6 third party advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/ vendor advisory mailing list
http://www.openwall.com/lists/oss-security/2023/10/20/8 third party advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/ vendor advisory mailing list
https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html mailing list
https://www.debian.org/security/2023/dsa-5540 vendor advisory mailing list third party advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html mailing list
https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715 third party advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/ vendor advisory mailing list
https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html mailing list
https://www.debian.org/security/2023/dsa-5549 vendor advisory mailing list third party advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/ vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/ vendor advisory mailing list
https://www.debian.org/security/2023/dsa-5558 vendor advisory mailing list third party advisory
https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html mailing list
https://security.gentoo.org/glsa/202311-09 third party advisory vendor advisory
https://www.debian.org/security/2023/dsa-5570 third party advisory vendor advisory
https://security.netapp.com/advisory/ntap-20240426-0007/ third party advisory
https://security.netapp.com/advisory/ntap-20240621-0006/ third party advisory exploit
https://security.netapp.com/advisory/ntap-20240621-0007/ third party advisory
https://github.com/grpc/grpc/releases/tag/v1.59.2 mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/ mailing list third party advisory
https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause third party advisory

Frequently Asked Questions

What is the severity of CVE-2023-44487?
CVE-2023-44487 has been scored as a high severity vulnerability.
How to fix CVE-2023-44487?
To fix CVE-2023-44487, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-44487 being actively exploited in the wild?
It is confirmed that CVE-2023-44487 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~95% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.