⚠ Actively exploited

Added to CISA KEV on 2023-10-10. Federal agencies required to patch by 2023-10-31. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2023-44487

CWE-400 — Uncontrolled Resource Consumption52 documents20 sources

Severity

7.5HIGH

EPSS

94.4%

top 0.03%

CISA KEV

KEV

Added 2023-10-10

Due 2023-10-31

Exploit

Exploited in wild

Active exploitation observed

Affected products

120

Github.com Kumahq/kuma Github.com Nghttp2/nghttp2 Github.com Traefik/traefik +117 more

Timeline

PublishedOct 10

KEV addedOct 10

KEV dueOct 31

Latest updateNov 26

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages139 packages

▶NVDakka/http_server< 10.5.3

▶Mavenorg.eclipse.jetty.http2:http2-server9.3.0 — 9.4.53+2

▶Mavenorg.eclipse.jetty.http2:jetty-http2-server12.0.0 — 12.0.2

▶CVEListV5apache_software_foundation/apache_http_server2.4.17 — 2.4.57

▶NVDgolang/http2< 0.17.0

Also affects: Debian Linux 10.0, 11.0, 12.0, Fedora 37, 38, Enterprise Linux 6.0, 8.0, 9.0, Openshift Container Platform 4.0

Patches

Patch: cgit.freebsd.org ↗Patch: gist.github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

netty vulnerabilities↗2024-09-05

▶

OSV

nghttp2 vulnerability↗2024-05-07

▶

OSV

dotnet6, dotnet7 vulnerabilities↗2023-10-19

▶

GHSA

github.com/kumahq/kuma affected by CVE-2023-44487↗2023-10-17

▶

OSV

github.com/kumahq/kuma affected by CVE-2023-44487↗2023-10-17

▶

💥Exploits & PoCs

Exploit-DB

HTTP/2 2.0 - Denial Of Service (DOS)↗2025-09-16

▶

📋Vendor Advisories

Ubuntu

H2O vulnerability↗2025-11-26

▶

Ubuntu

H2O vulnerability↗2025-04-30

▶

Ubuntu

Node.js vulnerability↗2025-04-29

▶

Ubuntu

Apache Traffic Server vulnerability↗2025-04-28

▶

Ubuntu

Apache Tomcat vulnerability↗2025-04-28

▶

🕵️Threat Intelligence

Talos

What to know about the HTTP/2 Rapid Reset DDoS attacks↗2023-10-11

▶

Talos

What to know about the HTTP/2 Rapid Reset DDoS attacks↗2023-10-11

▶

Qualys

Understanding the HTTP/2 Rapid Reset Attack (CVE-2023-44487) | Qualys↗2023-10-10

▶

Qualys

CVE-2023-44487 HTTP/2 Rapid Reset Attack↗2023-10-10

▶

Huntress

CVE-2023-44487 Vulnerability: Analysis, Impact, Mitigation | Huntress↗

▶