logo

Database

Asymmetric denial of service In github.com/nghttp2/nghttp2

Description

github.com/nghttp2/nghttp2 has HTTP/2 Rapid Reset

Impact

Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service.

See https://www.cve.org/CVERecord?id=CVE-2023-44487 for details.

Patches

nghttp2 v1.57.0 mitigates this vulnerability by default.

Workarounds

If upgrading to nghttp2 v1.57.0 is not possible, implement nghttp2_on_frame_recv_callback, and check and count RST_STREAM frames. If excessive number of RST_STREAM are received, then take action, such as dropping connection silently, or call nghttp2_submit_goaway and gracefully terminate the connection.

References

The following commit mitigates this vulnerability:

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-vx74-f528-fxqg2. GCVE-GHSA-vx74-f528-fxqg

References

1. https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg2. https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee17388323. https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.