CVE-2023-44487

HIGHScheduled

Published:Oct 10, 2023(2 years ago)

Modified:Nov 7, 2025

Remote ExploitNo Auth RequiredNo InteractionLow Complexity

Vulnerability Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Attack Characteristics

Network AccessLow ComplexityNo Auth NeededNo User Interaction

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

292

Vendor	Product	Versions	Fixed In
ietf	http	-	-
nghttp2	nghttp2	1.57.0	-
netty	netty	4.1.100

Timeline

Published
CVE disclosed publicly
Oct 10, 20232 years ago
Last Modified
Most recent update
Nov 7, 20256 months ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20261 month ago

References

287

http://www.openwall.com/lists/oss-security/2023/10/10/6Mailing List
http://www.openwall.com/lists/oss-security/2023/10/10/7Mailing List
http://www.openwall.com/lists/oss-security/2023/10/13/4Mailing List

CVSS Score

v3.1

7.5/ 10.0

HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

At a Glance

292

Affected Products

287

References

ietf / http

http://www.openwall.com/lists/oss-security/2023/10/13/9Mailing List

http://www.openwall.com/lists/oss-security/2023/10/18/4Mailing List

http://www.openwall.com/lists/oss-security/2023/10/18/8Mailing List

http://www.openwall.com/lists/oss-security/2023/10/19/6Mailing List

http://www.openwall.com/lists/oss-security/2023/10/20/8Mailing List

https://access.redhat.com/security/cve/cve-2023-44487Vendor Advisory

https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-p...Press/Media Coverage

https://aws.amazon.com/security/security-bulletins/AWS-2023-011/Third Party Advisory

https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos...Technical Description

https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking...Third Party Advisory

https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerabl...Vendor Advisory

https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve...Press/Media Coverage

https://blog.vespa.ai/cve-2023-44487/Vendor Advisory

https://bugzilla.proxmox.com/show_bug.cgi?id=4988Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=2242803Issue Tracking

https://bugzilla.suse.com/show_bug.cgi?id=1216123Issue Tracking

https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f...Mailing List

https://cloud.google.com/blog/products/identity-security/google-cloud-...Technical Description

https://cloud.google.com/blog/products/identity-security/how-it-works-...Technical Description

https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487...Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundar...Third Party Advisory

https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cveBroken Link

https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44...Vendor Advisory

https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088Issue Tracking

https://github.com/Azure/AKS/issues/3947Issue Tracking

https://github.com/Kong/kong/discussions/11741Issue Tracking

https://github.com/advisories/GHSA-qppj-fm5r-hxr3Vendor Advisory

https://github.com/advisories/GHSA-vx74-f528-fxqgMitigation

https://github.com/advisories/GHSA-xpw8-rcwv-8f8pPatch

https://github.com/akka/akka-http/issues/4323Issue Tracking

https://github.com/alibaba/tengine/issues/1872Issue Tracking

https://github.com/apache/apisix/issues/10320Issue Tracking

https://github.com/apache/httpd-site/pull/10Issue Tracking

https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d...Product

https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http...Product

https://github.com/apache/trafficserver/pull/10564Issue Tracking

https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487Vendor Advisory

https://github.com/bcdannyboy/CVE-2023-44487Third Party Advisory

https://github.com/caddyserver/caddy/issues/5877Issue Tracking

https://github.com/caddyserver/caddy/releases/tag/v2.7.5Release Notes

https://github.com/dotnet/announcements/issues/277Issue Tracking

https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec...Product

https://github.com/eclipse/jetty.project/issues/10679Issue Tracking

https://github.com/envoyproxy/envoy/pull/30055Issue Tracking

https://github.com/etcd-io/etcd/issues/16740Issue Tracking

https://github.com/facebook/proxygen/pull/466Issue Tracking

https://github.com/golang/go/issues/63417Issue Tracking

https://github.com/grpc/grpc-go/pull/6703Issue Tracking

https://github.com/grpc/grpc/releases/tag/v1.59.2Mailing List

https://github.com/h2o/h2o/pull/3291Issue Tracking

https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqfVendor Advisory

https://github.com/haproxy/haproxy/issues/2312Issue Tracking

https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd...Product

https://github.com/junkurihara/rust-rpxy/issues/97Issue Tracking

https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce...Patch

https://github.com/kazu-yamamoto/http2/issues/93Issue Tracking

https://github.com/kubernetes/kubernetes/pull/121120Issue Tracking

https://github.com/line/armeria/pull/5232Issue Tracking

https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270...Patch

https://github.com/micrictor/http2-rst-streamExploit

https://github.com/microsoft/CBL-Mariner/pull/6381Issue Tracking

https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a...Patch

https://github.com/nghttp2/nghttp2/pull/1961Issue Tracking

https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0Release Notes

https://github.com/ninenines/cowboy/issues/1615Issue Tracking

https://github.com/nodejs/node/pull/50121Issue Tracking

https://github.com/openresty/openresty/issues/930Issue Tracking

https://github.com/opensearch-project/data-prepper/issues/3474Issue Tracking

https://github.com/oqtane/oqtane.framework/discussions/3367Issue Tracking

https://github.com/projectcontour/contour/pull/5826Issue Tracking

https://github.com/tempesta-tech/tempesta/issues/1986Issue Tracking

https://github.com/varnishcache/varnish-cache/issues/3996Issue Tracking

https://groups.google.com/g/golang-announce/c/iNNxDTCjZvoMailing List

https://istio.io/latest/news/security/istio-security-2023-004/Vendor Advisory

https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/Vendor Advisory

https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87qMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00020.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00023.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00024.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00045.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00047.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/11/msg00001.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/11/msg00012.htmlMailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.f...Mailing List

https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.htmlMailing List

https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR...Mailing List

https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis...Third Party Advisory

https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distribu...Patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487Mitigation

https://my.f5.com/manage/s/article/K000137106Vendor Advisory

https://netty.io/news/2023/10/10/4-1-100-Final.htmlRelease Notes

https://news.ycombinator.com/item?id=37830987Issue Tracking

https://news.ycombinator.com/item?id=37830998Issue Tracking

https://news.ycombinator.com/item?id=37831062Issue Tracking

https://news.ycombinator.com/item?id=37837043Issue Tracking

https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-h...Third Party Advisory

https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-rese...Third Party Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityA...Vendor Advisory

https://security.gentoo.org/glsa/202311-09Third Party Advisory

https://security.netapp.com/advisory/ntap-20231016-0001/Third Party Advisory

https://security.netapp.com/advisory/ntap-20240426-0007/Third Party Advisory

https://security.netapp.com/advisory/ntap-20240621-0006/Exploit

https://security.netapp.com/advisory/ntap-20240621-0007/Third Party Advisory

https://security.paloaltonetworks.com/CVE-2023-44487Vendor Advisory

https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1...Release Notes

https://ubuntu.com/security/CVE-2023-44487Vendor Advisory

https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-...Third Party Advisory

https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-v...Third Party Advisory

https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-lar...Press/Media Coverage

https://www.debian.org/security/2023/dsa-5521Mailing List

https://www.debian.org/security/2023/dsa-5522Mailing List

https://www.debian.org/security/2023/dsa-5540Mailing List

https://www.debian.org/security/2023/dsa-5549Mailing List

https://www.debian.org/security/2023/dsa-5558Mailing List

https://www.debian.org/security/2023/dsa-5570Third Party Advisory

https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rap...Third Party Advisory

https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-4...Vendor Advisory

https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-ngin...Mitigation

https://www.openwall.com/lists/oss-security/2023/10/10/6Mailing List

https://www.phoronix.com/news/HTTP2-Rapid-Reset-AttackPress/Media Coverage

https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/Press/Media Coverage

http://www.openwall.com/lists/oss-security/2023/10/13/4Mailing List

http://www.openwall.com/lists/oss-security/2023/10/13/9Mailing List

http://www.openwall.com/lists/oss-security/2023/10/18/4Mailing List

http://www.openwall.com/lists/oss-security/2023/10/18/8Mailing List

http://www.openwall.com/lists/oss-security/2023/10/19/6Mailing List

http://www.openwall.com/lists/oss-security/2023/10/20/8Mailing List

http://www.openwall.com/lists/oss-security/2025/08/13/6Third Party Advisory