CVE-2023-44487
MEDIUM5.3⚠ KEVEPSS 94.4%nghttp2 - security update
Published: 10/10/2023Modified: 5/20/2026Added to CISA KEV: 10/10/2023
Description
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Affected packages (51)
- Alpine/lighttpdfrom 0, < 1.4.73-r0
- Alpine/nghttp2from 0, < 1.46.0-r2
- Alpine/nginxfrom 0, < 1.20.2-r2
- Alpine/nodejsfrom 0, < 0
- Alpine/varnishfrom 0, < 7.3.2-r0
- Bitnami/apisixfrom 0, < 3.6.1
- Bitnami/aspnet-core>= 6.0.0, < 6.0.23, >= 7.0.0, < 7.0.12
- Bitnami/contourfrom 0, < 1.24.6
- Bitnami/dotnet>= 6.0.0, < 6.0.23, >= 7.0.0, < 7.0.12
- Bitnami/dotnet-sdk>= 6.0.0, < 6.0.23, >= 7.0.0, < 7.0.12
- Bitnami/envoyfrom 0, < 1.24.12, >= 1.25.0, < 1.25.11, >= 1.26.0, < 1.26.6, >= 1.27.0, < 1.27.2
- Bitnami/golangfrom 0, < 1.20.10, >= 1.21.0-0, < 1.21.3
- Bitnami/jenkinsfrom 0, < 2.414.3, >= 2.415.0, < 2.428.0
- Bitnami/kongfrom 0, < 3.4.2
- Bitnami/nginx>= 1.9.5, < 1.25.3
- Bitnami/nginx-gateway>= 1.9.5, < 1.25.3
- Bitnami/nginx-ingress-controllerfrom 0, < 1.9.3
- Bitnami/nodefrom 0, < 18.18.2, >= 19.0.0, < 20.8.1
- Bitnami/node-minfrom 0, < 18.18.2, >= 19.0.0, < 20.8.1
- Bitnami/solrfrom 0, < 9.4.0
- Bitnami/tomcat>= 8.5.0, < 8.5.94, >= 9.0.0, < 9.0.81, >= 10.0.0, < 10.1.14
- Bitnami/varnishfrom 0, < 6.0.12, >= 6.1.0, < 7.3.1, >= 7.4.0, < 7.4.2
- Debian/dnsdistfrom 0
- Debian/grpcfrom 0
- Debian/h2ofrom 0, < 2.2.5+dfsg2-2+deb10u2
- Debian/h2ofrom 0
- Debian/haproxyfrom 0, < 1.8.13-1
- Debian/jetty9from 0, < 9.4.50-4+deb11u1
- Debian/nettyfrom 0, < 1:4.1.33-1+deb10u4
- Debian/nettyfrom 0, < 1:4.1.48-4+deb11u2
- Debian/nghttp2from 0, < 1.43.0-1+deb11u1
- Debian/nghttp2from 0, < 1.43.0-1+deb11u1
- Debian/nginxfrom 0
- Debian/tomcat10from 0, < 10.1.6-1+deb12u1
- Debian/tomcat9from 0, < 9.0.43-2~deb11u7
- Debian/trafficserverfrom 0, < 8.1.9+ds-1~deb11u1
- Debian/varnishfrom 0
- Go/github.com/nghttp2/nghttp2from 0, < 1.57.0
- Go/golang.org/x/netfrom 0, < 0.17.0
- Go/google.golang.org/grpcfrom 0, < 1.56.3, >= 1.57.0, < 1.57.1, >= 1.58.0, < 1.58.3
- Maven/com.typesafe.akka:akka-http-corefrom 0, < 10.5.3
- Maven/com.typesafe.akka:akka-http-core_2.11from 0, <= 10.1.15
- Maven/com.typesafe.akka:akka-http-core_2.12from 0, < 10.5.3
- Maven/com.typesafe.akka:akka-http-core_2.13from 0, < 10.5.3
- Maven/io.netty:netty-codec-http2from 0, < 4.1.100.Final
- Maven/org.apache.tomcat.embed:tomcat-embed-core>= 11.0.0-M1, < 11.0.0-M12
- Maven/org.apache.tomcat:tomcat-coyote>= 11.0.0-M1, < 11.0.0-M12
- Maven/org.eclipse.jetty.http2:http2-common>= 9.3.0, < 9.4.53
- Maven/org.eclipse.jetty.http2:http2-server>= 9.3.0, < 9.4.53
- Maven/org.eclipse.jetty.http2:jetty-http2-common>= 12.0.0, < 12.0.2
- Maven/org.eclipse.jetty.http2:jetty-http2-server>= 12.0.0, < 12.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H |
References (266)
- ADVISORYhttps://github.com/advisories/GHSA-qppj-fm5r-hxr3
- ADVISORYhttps://github.com/advisories/GHSA-vx74-f528-fxqg
- ADVISORYhttps://github.com/advisories/GHSA-xpw8-rcwv-8f8p
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-44487
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2023-44487
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-44487
- PATCHhttps://github.com/apple/swift-nio-http2
- PATCHhttps://github.com/grpc/grpc-go/commit/f2180b4d5403d2210b30b93098eb7da31c05c721
- PATCHhttps://github.com/netty/netty
- PATCHhttps://github.com/nghttp2/nghttp2
- WEBhttps://access.redhat.com/security/cve/cve-2023-44487
- WEBhttps://akka.io/security/akka-http-cve-2023-44487.html
- WEBhttps://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size
- WEBhttps://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
- WEBhttps://aws.amazon.com/security/security-bulletins/AWS-2023-011
- WEBhttps://aws.amazon.com/security/security-bulletins/AWS-2023-011/
- WEBhttps://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack
- WEBhttps://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- WEBhttps://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack
- WEBhttps://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
- WEBhttps://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty
- WEBhttps://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
- WEBhttps://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
- WEBhttps://blog.vespa.ai/cve-2023-44487
- WEBhttps://blog.vespa.ai/cve-2023-44487/
- WEBhttps://bugzilla.proxmox.com/show_bug.cgi?id=4988
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2242803
- WEBhttps://bugzilla.suse.com/show_bug.cgi?id=1216123
- WEBhttps://cert-portal.siemens.com/productcert/html/ssa-082556.html
- WEBhttps://cert-portal.siemens.com/productcert/html/ssa-341067.html
- WEBhttps://cert-portal.siemens.com/productcert/html/ssa-784301.html
- WEBhttps://cert-portal.siemens.com/productcert/html/ssa-832273.html
- WEBhttps://cert-portal.siemens.com/productcert/html/ssa-915275.html
- WEBhttps://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
- WEBhttps://chaos.social/@icing/111210915918780532
- WEBhttps://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps
- WEBhttps://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
- WEBhttps://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- WEBhttps://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
- WEBhttps://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
- WEBhttps://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
- WEBhttps://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
- WEBhttps://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
- WEBhttps://github.com/akka/akka-http/issues/4323
- WEBhttps://github.com/akka/akka-http/pull/4324
- WEBhttps://github.com/akka/akka-http/pull/4325
- WEBhttps://github.com/alibaba/tengine/issues/1872
- WEBhttps://github.com/apache/apisix/issues/10320
- WEBhttps://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
- WEBhttps://github.com/apache/httpd-site/pull/10
- … 216 more