Safeguard
Vulnerability Analysis

HTTP/2 Rapid Reset zero-day vulnerability CVE-2023-44487

CVE-2023-44487 "HTTP/2 Rapid Reset" enabled record-breaking DDoS attacks via stream-reset abuse. Impact, affected stacks, and remediation steps.

Safeguard Research Team
Research
7 min read

On October 10, 2023, Google, Cloudflare, and Amazon Web Services jointly disclosed CVE-2023-44487, the "HTTP/2 Rapid Reset" vulnerability — a protocol-level weakness that had already been exploited as a zero-day since August 2023 to launch the largest volumetric DDoS attacks ever recorded. Unlike a typical memory-corruption or injection bug, Rapid Reset is a design flaw in how the HTTP/2 protocol handles stream cancellation, and it affects virtually every web server, load balancer, proxy, and application framework that implements HTTP/2 — which today is most of the internet's serving infrastructure. Google reported mitigating an attack peaking at 398 million requests per second; Cloudflare saw 201 million rps; AWS confirmed similar record-breaking floods. These were three to eight times larger than any previously observed DDoS attack, and they were generated by botnets a fraction of the size normally required to achieve that scale.

What Is HTTP/2 Rapid Reset?

HTTP/2 introduced multiplexing: a single TCP connection can carry many concurrent request/response "streams," with servers enforcing a SETTINGS_MAX_CONCURRENT_STREAMS limit (commonly 100) to bound resource usage per connection. The protocol also allows a client to cancel an in-flight stream at any time by sending an RST_STREAM frame.

Rapid Reset abuses the interaction between these two features. An attacker opens a stream and immediately cancels it with RST_STREAM, over and over, as fast as the connection allows — often thousands of times per second on a single connection. Because the stream is canceled before the server has finished processing it, many implementations decrement the "active stream" counter immediately without waiting for the backend work (routing, logging, upstream proxying, authentication checks) to actually finish or unwind cleanly. That means the concurrent-stream limit is effectively meaningless: the client can drive unbounded request throughput at the backend while the server-side accounting shows near-zero open streams. The result is CPU and memory exhaustion, worker-thread starvation, and downstream service overload — all from a single low-bandwidth TCP connection, making it trivial to scale horizontally across a modest botnet for outsized impact.

Because this abuses a legitimate protocol capability rather than a coding defect, no single vendor patch fixed the issue. Each HTTP/2 implementation needed its own fix — typically adding rate limits on stream resets per connection, penalizing connections that reset an abnormal fraction of their streams, or closing connections that exceed a reset threshold.

Affected Versions and Components

CVE-2023-44487 is a protocol-implementation issue, so the exposure list is broad. Vendors and projects that shipped patches or mitigation guidance include:

  • Web/proxy servers: nginx (1.25.3 and backports to stable branches), Apache HTTP Server (2.4.58), Apache Tomcat, Apache Traffic Server, HAProxy (2.8.2, 2.6.14, 2.4.24, 2.2.31, 2.0.32), Envoy Proxy, Caddy
  • Language runtimes/frameworks: Node.js (18.18.2, 20.8.1, 21.0.0), Go net/http and golang.org/x/net/http2 (fixed in Go 1.21.3 / 1.20.10), Netty, gRPC/grpc-go, grpc-java, .NET/Kestrel and HTTP.sys (Microsoft), Jetty, undertow, h2o
  • Cloud/CDN and load-balancing platforms: AWS (ALB, CloudFront, API Gateway), Google Cloud (GFE, Cloud Load Balancing), Microsoft Azure (Front Door, Application Gateway), Cloudflare, F5 BIG-IP, Citrix ADC, Akamai
  • Application servers and middleware built on any of the above HTTP/2 stacks, including Kubernetes ingress controllers (nginx-ingress, Envoy-based Contour/Istio) and API gateways (Kong, Tyk, Apigee)

Any product, container base image, or SBOM component that bundles an unpatched HTTP/2 server or client library inherits this exposure — including internal microservices that terminate HTTP/2 for gRPC traffic, which is a common blind spot since teams often patch edge-facing servers first and forget internal service meshes.

CVSS, EPSS, and KEV Status

  • CVSS v3.1 Base Score: 7.5 (High) — vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting a network-exploitable, low-complexity, unauthenticated attack whose sole impact is availability, but at a severity capable of taking production services offline.
  • EPSS: Given confirmed mass exploitation prior to disclosure and near-universal applicability, EPSS scoring for CVE-2023-44487 sits in the very high percentile range typical of actively-exploited, low-complexity network vulnerabilities — a strong signal that this CVE belongs at the top of any remediation queue regardless of its "availability-only" CVSS impact.
  • CISA KEV Catalog: Added to the Known Exploited Vulnerabilities catalog in October 2023, confirming active in-the-wild exploitation and triggering mandatory remediation timelines for U.S. federal civilian agencies under BOD 22-01. For any organization using KEV membership as a prioritization signal, Rapid Reset should have been treated as a "patch now" item, not a "patch in the next cycle" item.

The gap between the "medium-looking" availability-only CVSS score and the "critical, patch immediately" real-world urgency is a textbook example of why CVSS alone is an insufficient prioritization signal — exploitability, KEV status, and internet-facing exposure matter as much as raw severity math.

Timeline

  • August 2023: Threat actors begin exploiting the flaw as a zero-day, launching sustained record-breaking DDoS campaigns against cloud providers and their customers.
  • Late August–September 2023: Google, Cloudflare, and AWS independently detect and begin mitigating anomalous traffic patterns consistent with the same underlying technique, and start coordinating disclosure.
  • October 10, 2023: Coordinated public disclosure. Google, Cloudflare, and AWS publish joint technical writeups; CVE-2023-44487 is assigned; major vendors (nginx, Apache, Microsoft, Envoy, Go, Node.js, etc.) simultaneously release patches or mitigation guidance.
  • October 2023: CVE-2023-44487 is added to the CISA KEV catalog; the vulnerability receives widespread security-industry attention as one of the largest-scale DDoS enablement bugs in the protocol era.
  • Late 2023–ongoing: Downstream vendors (SaaS platforms, appliance vendors, Kubernetes distributions) continue shipping patched dependency versions as they absorb upstream fixes into their own release cycles — meaning organizations relying on vendor patch cadence may have remained exposed for weeks or months after the initial disclosure.

Remediation Steps

  1. Inventory every HTTP/2-terminating component. Use SBOM data to identify all instances of nginx, Apache httpd/Tomcat, HAProxy, Envoy, Go binaries, Node.js services, .NET/Kestrel apps, Netty/gRPC services, and ingress controllers across production, staging, and internal service mesh environments — not just internet-facing edge servers.
  2. Patch to the fixed versions above, prioritizing internet-facing load balancers, API gateways, and reverse proxies first, then internal gRPC/service-mesh components.
  3. Enable or configure rapid-reset-specific mitigations where available even before a full upgrade is feasible: connection-level limits on stream resets per second, penalizing/closing connections with abnormal RST_STREAM-to-completed-request ratios, and lowering max_concurrent_streams where supported.
  4. Apply WAF/CDN-layer protections. Most major CDNs (Cloudflare, Akamai, AWS Shield/CloudFront, Google Cloud Armor) shipped Rapid-Reset-specific detection rules — ensure these are enabled, not just available.
  5. Add HTTP/2 abuse monitoring. Alert on connections exhibiting high stream-open/stream-reset churn, elevated RST_STREAM frame rates, and mismatches between reported concurrent streams and actual backend request volume.
  6. Consider selectively disabling HTTP/2 on components that cannot be patched promptly and where request-multiplexing performance is not business-critical, falling back to HTTP/1.1 until a fix ships.
  7. Re-verify container base images and vendored dependencies, since HTTP/2 libraries are frequently pulled in transitively (e.g., a gRPC client library bundling its own HTTP/2 stack independent of the host web server).

How Safeguard Helps

CVE-2023-44487 is precisely the kind of vulnerability that turns a strong SBOM into an actionable defense rather than a static inventory. Safeguard automatically generates and ingests SBOMs across your services, container images, and dependency graphs to pinpoint every nginx, Envoy, Go, Node.js, Netty, or gRPC component still running a vulnerable HTTP/2 stack — including transitive dependencies buried in service-mesh sidecars that manual audits routinely miss. Griffin AI then triages each affected component using reachability analysis, distinguishing internet-facing load balancers and API gateways that need emergency patching from internal, non-exploitable code paths, so your team isn't burning a maintenance window on services with no real exposure. For components that need immediate remediation, Safeguard's auto-fix PRs open version-bump changes against the patched nginx, HAProxy, Go, or Node.js releases directly in your repositories, cutting the time between disclosure and deployed fix from weeks to hours. Given Rapid Reset's KEV status and mass-exploitation history, that speed difference is the gap between a routine patch cycle and a multi-hour outage during a live DDoS campaign.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.