CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- September 29, 2023
- Published Date
- October 10, 2023
- Last Updated
- June 07, 2025
- Vendor
- n/a
- Product
- n/a
- Description
- The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- Tags
- Exploitation
- active
- Automatable
- Yes
- Technical Impact
- partial
cisa
nessus_scanner
CVSS Scores
CVSS v3.1
7.5 - HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SSVC Information
References
https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
https://news.ycombinator.com/item?id=37831062
https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
https://github.com/envoyproxy/envoy/pull/30055
https://github.com/haproxy/haproxy/issues/2312
https://github.com/eclipse/jetty.project/issues/10679
https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
https://github.com/nghttp2/nghttp2/pull/1961
https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
https://github.com/alibaba/tengine/issues/1872
https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
https://news.ycombinator.com/item?id=37830987
https://news.ycombinator.com/item?id=37830998
https://github.com/caddyserver/caddy/issues/5877
https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
https://github.com/bcdannyboy/CVE-2023-44487
https://github.com/grpc/grpc-go/pull/6703
https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
https://my.f5.com/manage/s/article/K000137106
https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
https://bugzilla.proxmox.com/show_bug.cgi?id=4988
https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
http://www.openwall.com/lists/oss-security/2023/10/10/7
http://www.openwall.com/lists/oss-security/2023/10/10/6
https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
https://github.com/microsoft/CBL-Mariner/pull/6381
https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
https://github.com/facebook/proxygen/pull/466
https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
https://github.com/micrictor/http2-rst-stream
https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
https://github.com/h2o/h2o/pull/3291
https://github.com/nodejs/node/pull/50121
https://github.com/dotnet/announcements/issues/277
https://github.com/golang/go/issues/63417
https://github.com/advisories/GHSA-vx74-f528-fxqg
https://github.com/apache/trafficserver/pull/10564
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
https://www.openwall.com/lists/oss-security/2023/10/10/6
https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
https://github.com/opensearch-project/data-prepper/issues/3474
https://github.com/kubernetes/kubernetes/pull/121120
https://github.com/oqtane/oqtane.framework/discussions/3367
https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
https://netty.io/news/2023/10/10/4-1-100-Final.html
https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
https://news.ycombinator.com/item?id=37837043
https://github.com/kazu-yamamoto/http2/issues/93
https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
https://www.debian.org/security/2023/dsa-5522
https://www.debian.org/security/2023/dsa-5521
https://access.redhat.com/security/cve/cve-2023-44487
https://github.com/ninenines/cowboy/issues/1615
https://github.com/varnishcache/varnish-cache/issues/3996
https://github.com/tempesta-tech/tempesta/issues/1986
https://blog.vespa.ai/cve-2023-44487/
https://github.com/etcd-io/etcd/issues/16740
https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
https://istio.io/latest/news/security/istio-security-2023-004/
https://github.com/junkurihara/rust-rpxy/issues/97
https://bugzilla.suse.com/show_bug.cgi?id=1216123
https://bugzilla.redhat.com/show_bug.cgi?id=2242803
https://ubuntu.com/security/CVE-2023-44487
https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
https://github.com/advisories/GHSA-qppj-fm5r-hxr3
https://github.com/apache/httpd-site/pull/10
https://github.com/projectcontour/contour/pull/5826
https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
https://github.com/line/armeria/pull/5232
https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
https://security.paloaltonetworks.com/CVE-2023-44487
https://github.com/akka/akka-http/issues/4323
https://github.com/openresty/openresty/issues/930
https://github.com/apache/apisix/issues/10320
https://github.com/Azure/AKS/issues/3947
https://github.com/Kong/kong/discussions/11741
https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
https://github.com/caddyserver/caddy/releases/tag/v2.7.5
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
http://www.openwall.com/lists/oss-security/2023/10/13/4
http://www.openwall.com/lists/oss-security/2023/10/13/9
https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/
https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
https://security.netapp.com/advisory/ntap-20231016-0001/
https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html
http://www.openwall.com/lists/oss-security/2023/10/18/4
http://www.openwall.com/lists/oss-security/2023/10/18/8
http://www.openwall.com/lists/oss-security/2023/10/19/6
https://lists.fedoraproject.org/archives/list/[email protected]/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/
https://lists.fedoraproject.org/archives/list/[email protected]/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/
http://www.openwall.com/lists/oss-security/2023/10/20/8
https://lists.fedoraproject.org/archives/list/[email protected]/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/
https://lists.fedoraproject.org/archives/list/[email protected]/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
https://lists.fedoraproject.org/archives/list/[email protected]/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/
https://lists.fedoraproject.org/archives/list/[email protected]/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/
https://lists.fedoraproject.org/archives/list/[email protected]/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
https://lists.fedoraproject.org/archives/list/[email protected]/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
https://lists.fedoraproject.org/archives/list/[email protected]/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
https://lists.fedoraproject.org/archives/list/[email protected]/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/
https://lists.fedoraproject.org/archives/list/[email protected]/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
https://lists.fedoraproject.org/archives/list/[email protected]/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html
https://www.debian.org/security/2023/dsa-5540
https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html
https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
https://lists.fedoraproject.org/archives/list/[email protected]/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/
https://lists.fedoraproject.org/archives/list/[email protected]/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/
https://lists.fedoraproject.org/archives/list/[email protected]/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
https://lists.fedoraproject.org/archives/list/[email protected]/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/
https://lists.fedoraproject.org/archives/list/[email protected]/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
https://lists.fedoraproject.org/archives/list/[email protected]/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html
https://www.debian.org/security/2023/dsa-5549
https://lists.fedoraproject.org/archives/list/[email protected]/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/
https://lists.fedoraproject.org/archives/list/[email protected]/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/
https://www.debian.org/security/2023/dsa-5558
https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html
https://security.gentoo.org/glsa/202311-09
https://www.debian.org/security/2023/dsa-5570
https://security.netapp.com/advisory/ntap-20240426-0007/
https://security.netapp.com/advisory/ntap-20240621-0006/
https://security.netapp.com/advisory/ntap-20240621-0007/
https://github.com/grpc/grpc/releases/tag/v1.59.2
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2023-10-10 00:00:00 UTC |
Recent Mentions
Siemens SIMATIC S7-1500 CPU Family
Source: All CISA Advisories • Published: 2025-06-12 12:00:00 UTC
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC S7-1500 CPU family
Vulnerabilities: Missing Encryption of Sensitive Data, Out-of-bounds Read, Use After Free, Stack-based Buffer Overflow, Incorrect Provision of Specified Functionality, Out-of-bounds Write, Incorrect Calculation of Buffer Size, Heap-based Buffer Overflow, External Control of File Name or Path, Uncontrolled Resource Consumption, Improper Input Validation, Truncation of Security-relevant Information, Missing Critical Step in Authentication, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Access of Resource Using Incompatible Type ('Type Confusion'), Signal Handler Race Condition, Inefficient Algorithmic Complexity, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'), NULL Pointer Dereference, Reachable Assertion, Return of Pointer Value Outside of Expected Range, Improper Handling of Length Parameter Inconsistency, Integer Overflow or Wraparound, Improper Locking, Improper Validation of Array Index, Buffer Underwrite ('Buffer Underflow'), Use of Uninitialized Resource, Detection of Error Condition Without Action, Premature Release of Resource During Expected Lifetime
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to affect the confidentiality, integrity, or availability of affected devices.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0): V3.1.5 and...
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nessus | https://www.tenable.com/plugins/nessus/502811 | 2025-06-02 13:58:51 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
threatlabindonesia/CVE-2023-44487-HTTP-2-Rapid-Reset-Exploit-PoC
Type: github • Created: 2024-12-03 14:54:21 UTC • Stars: 3
sigridou/CVE-2023-44487-
Type: github • Created: 2023-12-11 23:12:03 UTC • Stars: 0
ReToCode/golang-CVE-2023-44487
Type: github • Created: 2023-10-25 09:11:46 UTC • Stars: 2
studiogangster/CVE-2023-44487
Type: github • Created: 2023-10-16 11:07:50 UTC • Stars: 19
A python based exploit to test out rapid reset attack (CVE-2023-44487)
imabee101/CVE-2023-44487
Type: github • Created: 2023-10-11 01:59:47 UTC • Stars: 54
Proof of concept for DoS exploit
bcdannyboy/CVE-2023-44487
Type: github • Created: 2023-10-10 14:20:42 UTC • Stars: 230
Basic vulnerability scanning to see if web servers may be vulnerable to CVE-2023-44487
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
Proof of Concept Exploit Available
-
Detected by Nessus