CVE-2023-44487: HTTP/2 Rapid Reset: How a Single TCP Connection Can Nuke a Server

HTTP/2 Rapid Reset: How a Single TCP Connection Can Nuke a Server

Vulnerability ID: CVE-2023-44487
CVSS Score: 7.5
Published: 2023-10-10

CVE-2023-44487, dubbed 'Rapid Reset,' is a protocol-level vulnerability in HTTP/2 that allows a single client to overwhelm and crash even the most powerful servers. By abusing the stream cancellation mechanism, an attacker can force a server to perform a massive amount of work setting up and tearing down communication streams, while the attacker expends almost no resources. This asymmetry creates a devastating Denial of Service vector that bypasses traditional rate-limiting defenses. The flaw isn't in a specific piece of software, but in the very design of the protocol, leading to a coordinated, internet-wide patching effort affecting nearly every modern web server, CDN, and load balancer.

TL;DR

A design flaw in the HTTP/2 protocol allows an attacker to open and immediately cancel a massive number of data streams over a single connection. This forces the server to burn CPU and memory on useless setup/teardown work, leading to a complete Denial of Service. Because it's a protocol issue, almost everyone was vulnerable. It has been actively and massively exploited in the wild.

---

⚠️ Exploit Status: ACTIVE

Technical Details

• CWE ID: CWE-400
• CWE Name: Uncontrolled Resource Consumption
• Attack Vector: Network
• CVSS Score: 7.5 (High)
• EPSS Score: 0.944 (94.4%)
• Impact: Denial of Service
• Exploit Status: Active Exploitation
• KEV Status: Listed in CISA KEV Catalog

Affected Systems

• Any web server, CDN, load balancer, or application implementing the HTTP/2 protocol.
• Various HTTP/2 Implementations: All unpatched versions

Exploit Details

• GitHub: Proof-of-concept exploit script for demonstrating the HTTP/2 Rapid Reset vulnerability.
• GitHub: Another PoC implementation in Go for testing server resilience against CVE-2023-44487.

Mitigation Strategies

• Apply vendor-supplied patches immediately to all affected systems.
• Implement rate-limiting on HTTP/2 stream resets at the network edge (e.g., load balancer, WAF, or CDN).
• Monitor server CPU, memory, and open connections for anomalies indicative of a Rapid Reset attack.
• As a last resort, consider temporarily disabling HTTP/2 for public-facing services if patching is not possible.

Remediation Steps:

1. Inventory all public-facing servers, load balancers, and services running HTTP/2.
2. Consult vendor advisories (e.g., Nginx, Apache, F5, Cloudflare, Google Cloud, AWS) for specific patch information and version numbers.
3. Schedule and apply the necessary updates during a maintenance window.
4. Verify that the patch has been successfully applied and monitor systems for stability and performance under load.
5. Ensure your network security appliances have updated signatures to detect and block this attack pattern.

References

• NVD - CVE-2023-44487
• Cloudflare: Technical Deep Dive on the HTTP/2 Rapid Reset DDoS Attack
• CISA Alert (AA23-284A): HTTP/2 Rapid Reset Vulnerability
• Google Cloud: Mitigating the largest DDoS attack in history

---

Read the full report for CVE-2023-44487 on our website for more details including interactive diagrams and full exploit analysis.