CVE-2024-45403

H2O assertion failure when HTTP/3 requests are cancelled

Description

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. The vulnerability has been addressed in commit 1ed32b2. Users may disable the use of HTTP/3 to mitigate the issue.

Category

3.7
CVSS
Severity: Low
CVSS 3.1 •
EPSS 0.53%
Vendor Advisory github.com
Affected: h2o h2o
Published at:
Updated at:

References

Link Tags
https://github.com/h2o/h2o/security/advisories/GHSA-4xp5-3jhc-3m92 vendor advisory
https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562 patch
https://github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f09c8525f93eb1d354c patch
https://h2o.examp1e.net/configure/http3_directives.html product

Frequently Asked Questions

What is the severity of CVE-2024-45403?
CVE-2024-45403 has been scored as a low severity vulnerability.
How to fix CVE-2024-45403?
To fix CVE-2024-45403, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-45403 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-45403 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-45403?
CVE-2024-45403 affects h2o h2o.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.