CVE-2023-39325
published 2024-04-25CVE-2023-39325: An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers.
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
3.80%
88.7th percentile
An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| debian | golang-1.19 | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github.com | traefik_traefik | >= 0 < 2.10.5 | 2.10.5 |
| github.com | traefik_traefik | >= 3.0.0-beta1 < 3.0.0-beta4 | 3.0.0-beta4 |
| golang.org | x_net | >= 0 < 0.17.0 | 0.17.0 |
| golang | go | >= 1.20.0 < 1.20.10 | 1.20.10 |
| golang | go | >= 1.21.0 < 1.21.3 | 1.21.3 |
| golang | http2 | < 0.17.0 | 0.17.0 |
| msrc | azl3_application-gateway-kubernetes-ingress_1.7.2-3 | — | — |
| msrc | azl3_application-gateway-kubernetes-ingress_1.7.7-1 | — | — |
| msrc | azl3_blobfuse2_2.1.0-4 | — | — |
| msrc | azl3_blobfuse2_2.3.0-1 | — | — |
| msrc | azl3_cert-manager_1.11.2-5 | — | — |
| msrc | azl3_cert-manager_1.11.2-8 | — | — |
| msrc | azl3_cf-cli_8.7.3-2 | — | — |
| msrc | azl3_cf-cli_8.7.3-6 | — | — |
| msrc | azl3_cloud-provider-kubevirt_0.5.1-1 | — | — |
| msrc | azl3_containerized-data-importer_1.57.0-14 | — | — |
| msrc | azl3_containerized-data-importer_1.57.0-8 | — | — |
| msrc | azl3_coredns_1.11.1-4 | — | — |
| msrc | azl3_coredns_1.9.3-9 | — | — |
| msrc | azl3_etcd_3.5.6-11 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2
ghsa_unreviewed·2026-06-23·CVSS 7.5
CVE-2023-54365 [HIGH] CWE-400 Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.
GHSA
GHSA-623g-7789-x7m7: An incomplete fix for ose-olm-catalogd-container was issued for the Rapid Reset Vulnerability (CVE-2023-39325/CVE-2023-44487) where only unauthenticat
ghsa_unreviewed·2024-12-18·CVSS 7.5
CVE-2024-12698 [HIGH] CWE-400 GHSA-623g-7789-x7m7: An incomplete fix for ose-olm-catalogd-container was issued for the Rapid Reset Vulnerability (CVE-2023-39325/CVE-2023-44487) where only unauthenticat
An incomplete fix for ose-olm-catalogd-container was issued for the Rapid Reset Vulnerability (CVE-2023-39325/CVE-2023-44487) where only unauthenticated streams were protected, not streams created by authenticated sources.
OSV
golang-1.18 vulnerabilities
osv·2024-11-14·CVSS 7.5
CVE-2022-41723 [HIGH] golang-1.18 vulnerabilities
golang-1.18 vulnerabilities
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
OSV
golang-1.17 vulnerabilities
osv·2024-10-10·CVSS 9.8
CVE-2023-24531 [CRITICAL] golang-1.17 vulnerabilities
golang-1.17 vulnerabilities
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
arbitrary commands. (CVE-2023-24531)
Sohom Datta discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and did not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)
Juho Nurminen discovered that Go incorrectly handled certain special
characters in directory or file paths. An attacker could possibly use
this issue to inject code into the resulting binaries. (CVE-2023-29402)
Vincent Dehors discovered that Go incorrectly handled permission bits.
An attacker could possibly use this issue
GHSA
GHSA-5m7g-hw7h-q4qh: The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2023-39325/CVE-2023-44487, known as Rapid Reset
ghsa_unreviewed·2024-05-08·CVSS 7.5
CVE-2024-4438 [HIGH] CWE-400 GHSA-5m7g-hw7h-q4qh: The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2023-39325/CVE-2023-44487, known as Rapid Reset
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2023-39325/CVE-2023-44487, known as Rapid Reset. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.
GHSA
GHSA-m633-wxj8-4r58: An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers
ghsa_unreviewed·2024-04-25·CVSS 7.5
CVE-2023-6596 [HIGH] CWE-400 GHSA-m633-wxj8-4r58: An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers
An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers.
OSV
Go vulnerabilities
osv·2024-01-11·CVSS 6.1
CVE-2023-39318 [MEDIUM] Go vulnerabilities
Go vulnerabilities
Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a cross
site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not properly validate the "//go:cgo_"
directives during compilation. An attacker could possibly use this issue to
inject arbitrary code during compile time. (CVE-2023-39323)
It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly use this issue to cause a panic resulting into a denial of se
GHSA
Traefik vulnerable to HTTP/2 request causing denial of service
ghsa·2023-10-17·CVSS 7.5
CVE-2023-39325 [HIGH] CWE-400 Traefik vulnerable to HTTP/2 request causing denial of service
Traefik vulnerable to HTTP/2 request causing denial of service
### Impact
A vulnerability CVE-2023-39325 exists in [Go managing HTTP/2 requests](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ?pli=1), which impacts Traefik. This vulnerability could be exploited to cause a denial of service.
### References
- [CVE-2023-44487](https://www.cve.org/CVERecord?id=CVE-2023-44487)
- [CVE-2023-39325](https://www.cve.org/CVERecord?id=CVE-2023-39325)
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.10.5
- https://github.com/traefik/traefik/releases/tag/v3.0.0-beta4
OSV
Traefik vulnerable to HTTP/2 request causing denial of service
osv·2023-10-17·CVSS 7.5
CVE-2023-39325 [HIGH] Traefik vulnerable to HTTP/2 request causing denial of service
Traefik vulnerable to HTTP/2 request causing denial of service
### Impact
A vulnerability CVE-2023-39325 exists in [Go managing HTTP/2 requests](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ?pli=1), which impacts Traefik. This vulnerability could be exploited to cause a denial of service.
### References
- [CVE-2023-44487](https://www.cve.org/CVERecord?id=CVE-2023-44487)
- [CVE-2023-39325](https://www.cve.org/CVERecord?id=CVE-2023-39325)
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.10.5
- https://github.com/traefik/traefik/releases/tag/v3.0.0-beta4
OSV
HTTP/2 rapid reset can cause excessive work in net/http
osv·2023-10-11
CVE-2023-39325 [HIGH] HTTP/2 rapid reset can cause excessive work in net/http
HTTP/2 rapid reset can cause excessive work in net/http
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.
With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the con
GHSA
HTTP/2 rapid reset can cause excessive work in net/http
ghsa·2023-10-11
CVE-2023-39325 [HIGH] CWE-400 HTTP/2 rapid reset can cause excessive work in net/http
HTTP/2 rapid reset can cause excessive work in net/http
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.
With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the con
OSV
CVE-2023-39325: A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption
osv·2023-10-11·CVSS 7.5
CVE-2023-39325 [HIGH] CVE-2023-39325: A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http
Red Hat
github.com/traefik/traefik: net/http2: Traefik: Denial of Service via HTTP/2 Rapid Reset technique
vendor_redhat·2026-06-23·CVSS 7.5
CVE-2023-54365 [HIGH] CWE-770 github.com/traefik/traefik: net/http2: Traefik: Denial of Service via HTTP/2 Rapid Reset technique
github.com/traefik/traefik: net/http2: Traefik: Denial of Service via HTTP/2 Rapid Reset technique
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.
A flaw was found in Traefik's HTTP/2 request handling. A remote attacker can exploit this vulnerability by rapidly creating and canceling HTTP/2 streams. This can exhaust server resources, leading to a denial of service (DoS) and making the service unavailable to legitimate users. This issue is inherited from the Go standard librar
Red Hat
ose-olm-catalogd-container: incomplete fix for rapid reset (CVE-2023-39325/CVE-2023-44487)
vendor_redhat·2024-12-16·CVSS 7.5
CVE-2024-12698 [HIGH] CWE-400 ose-olm-catalogd-container: incomplete fix for rapid reset (CVE-2023-39325/CVE-2023-44487)
ose-olm-catalogd-container: incomplete fix for rapid reset (CVE-2023-39325/CVE-2023-44487)
An incomplete fix for ose-olm-catalogd-container was issued for the Rapid Reset Vulnerability (CVE-2023-39325/CVE-2023-44487) where only unauthenticated streams were protected, not streams created by authenticated sources.
An incomplete fix for ose-olm-catalogd-container was issued for the Rapid Reset Vulnerability (CVE-2023-39325/CVE-2023-44487) where only unauthenticated streams were protected, not streams created by authenticated sources.
Mitigation: Red Hat Product Security does not have any mitigation recommendations at this time. Please update as soon as possible.
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-11-14·CVSS 7.5
CVE-2023-29405 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-11-01·CVSS 9.8
CVE-2017-12424 [CRITICAL] PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-12424, CVE-2021-3114, CVE-2021-31525, CVE-2021-33195, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-36221, CVE-2021-4034, CVE-2021-44716, CVE-2021-44717, CVE-2022-1664, CVE-2022-1705, CVE-2022-23772, CVE-2022-24675, CVE-2022-24921, CVE-2022-28327, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30631, CVE-2022-30632, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41717, CVE-2022-41724, CVE-2022-41725, CVE-2023-24534, CVE-2023-24536, CVE-2023-24539, CVE-2023-29406, CVE-2023-29409, CVE-2023-39
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-10-10·CVSS 9.8
CVE-2023-29405 [CRITICAL] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
arbitrary commands. (CVE-2023-24531)
Sohom Datta discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and did not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)
Juho Nurminen discovered that Go incorrectly handled certain special
characters in directory or file paths. An attacker could possibly use
this issue to inject code into the resulting binaries. (CVE-2023-29402)
Vincent Dehors discovered that Go incorrectly handled permissio
Red Hat
etcd: Incomplete fix for CVE-2023-39325/CVE-2023-44487 in OpenStack Platform
vendor_redhat·2024-05-06·CVSS 7.5
CVE-2024-4438 [HIGH] CWE-400 etcd: Incomplete fix for CVE-2023-39325/CVE-2023-44487 in OpenStack Platform
etcd: Incomplete fix for CVE-2023-39325/CVE-2023-44487 in OpenStack Platform
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2023-39325/CVE-2023-44487, known as Rapid Reset. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2023-39325/CVE-2023-44487, known as Rapid Reset. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it shou
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-01-11·CVSS 6.1
CVE-2023-39326 [MEDIUM] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a cross
site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not properly validate the "//go:cgo_"
directives during compilation. An attacker could possibly use this issue to
inject arbitrary code during compile time. (CVE-2023-39323)
It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly us
Red Hat
openshift: incomplete fix for Rapid Reset (CVE-2023-44487/CVE-2023-39325)
vendor_redhat·2024-01-04·CVSS 7.5
CVE-2023-6596 [HIGH] CWE-400 openshift: incomplete fix for Rapid Reset (CVE-2023-44487/CVE-2023-39325)
openshift: incomplete fix for Rapid Reset (CVE-2023-44487/CVE-2023-39325)
An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers.
An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers.
Package: openshift4/ose-olm-rukpak-rhel8 (Red Hat OpenShift Container Platform 4) - Not affected
Red Hat
golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
vendor_redhat·2023-10-10·CVSS 7.5
CVE-2023-39325 [HIGH] CWE-400 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too larg
Microsoft
HTTP/2 rapid reset can cause excessive work in net/http
vendor_msrc·2023-10-10·CVSS 7.5
CVE-2023-39325 [HIGH] CWE-770 HTTP/2 rapid reset can cause excessive work in net/http
HTTP/2 rapid reset can cause excessive work in net/http
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.micro
Red Hat
HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
vendor_redhat·2023-10-10·CVSS 7.5
CVE-2023-44487 [HIGH] CWE-400 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the U
Debian
CVE-2023-39325: golang-1.15 - A malicious HTTP/2 client which rapidly creates requests and immediately resets ...
vendor_debian·2023·CVSS 7.5
CVE-2023-39325 [HIGH] CVE-2023-39325: golang-1.15 - A malicious HTTP/2 client which rapidly creates requests and immediately resets ...
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2023-54365 github.com/traefik/traefik: net/http2: Traefik: Denial of Service via HTTP/2 Rapid Reset technique
bugzilla·2026-06-23·CVSS 7.5
CVE-2023-54365 [HIGH] CVE-2023-54365 github.com/traefik/traefik: net/http2: Traefik: Denial of Service via HTTP/2 Rapid Reset technique
CVE-2023-54365 github.com/traefik/traefik: net/http2: Traefik: Denial of Service via HTTP/2 Rapid Reset technique
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.
Bugzilla
CVE-2024-8421 golang.org/x/net/http2: Multiple HTTP/2 enabled web servers (Rapid Reset Attack)
bugzilla·2024-09-04·CVSS 7.5
CVE-2024-8421 [HIGH] CVE-2024-8421 golang.org/x/net/http2: Multiple HTTP/2 enabled web servers (Rapid Reset Attack)
CVE-2024-8421 golang.org/x/net/http2: Multiple HTTP/2 enabled web servers (Rapid Reset Attack)
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.
Discussion:
https://pkg.go.dev/golang.org/x/net?tab=versions
Is it accurate to say that anything that has rebased golang x/net to >= 0.22.0 resolves this issue?
---
(In reply to Lon Hohberger from comment #6)
> https://pkg.go.dev/golang.org/x/net?tab=versions
>
> Is it accurate to say that anything that has rebased golang x/net to >=
> 0.22.0 reso
Bugzilla
CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
bugzilla·2023-10-11·CVSS 7.5
CVE-2023-39325 [HIGH] CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.
This CVE is specific to golang, but is also tracked as CVE-2023-44487.
Discussion:
Created golang tracking bugs for this issue:
Affects: epel-all [bug 2243616]
Affects: fedora-all [bug 2243617]
---
This issue has been addressed in the following products:
Red Hat Developer Tools
Via RHSA-2023:5719 https://access.redhat.com/errata/RH
https://access.redhat.com/errata/RHSA-2024:0485https://access.redhat.com/errata/RHSA-2024:0682https://access.redhat.com/security/cve/CVE-2023-6596https://bugzilla.redhat.com/show_bug.cgi?id=2253521https://access.redhat.com/errata/RHSA-2024:0485https://access.redhat.com/errata/RHSA-2024:0682https://access.redhat.com/security/cve/CVE-2023-6596https://bugzilla.redhat.com/show_bug.cgi?id=2253521
2024-04-25
Published