What is CVE-2023-44487?

The HTTP/2 Rapid Reset Attack exploits the stream cancellation feature to overwhelm servers with a fraction of normal traffic, enabling massive DDoS attacks. Affected virtually all HTTP/2 implementations.

How do I fix CVE-2023-44487?

Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches. Enable Cloudflare or CDN-level DDoS protection. Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx. Implement rate limiting on HTTP/2 connections at the edge. Monitor for traffic spikes and RESET_STREAM frames. Consider disabling HTTP/2 on exposed endpoints if not required.

highCVSS 7.5/10·Published: 2023-10-10·HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare)

How to fix CVE-2023-44487 – Step-by-Step Guide

CVE-2023-44487, known as the HTTP/2 Rapid Reset DDoS Attack, is a high-severity vulnerability (CVSS 7.5) affecting virtually all HTTP/2 server implementations. Published on October 10, 2023, this critical flaw enables highly efficient denial-of-service attacks.

CVE ID

CVE-2023-44487

Severity

HIGH

CVSS Score

7.5/10

Affected

HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare)

What is HTTP/2 Rapid Reset DDoS Attack?

The HTTP/2 Rapid Reset Attack exploits a design flaw in the protocol's stream cancellation mechanism. Attackers repeatedly send new streams and immediately cancel them, creating a massive backlog of server-side processing without fully completing requests. This overwhelms server resources, making it highly susceptible to denial-of-service.

Affected Versions

All HTTP/2 server implementations (pre-patch)

Fixed In

Nginx 1.25.3+, nghttp2 1.57.0+, vendor-specific patches

Official References

Impact and Risks for your Infrastructure

This vulnerability allows attackers to launch devastating DDoS attacks with minimal resources, potentially taking down critical services. Businesses face significant operational disruption, revenue loss, and reputational damage due to service unavailability. Infrastructure can be overwhelmed, leading to costly resource scaling or complete outages.

http2ddosnginxhigh2023

Step-by-Step Mitigation Guide

To mitigate, update your HTTP/2 server software to the latest patched versions, such as Nginx 1.25.3+ or nghttp2 1.57.0+. Consult your vendor's specific advisories for patches. Verify the fix by checking your server's version number and monitoring for unusual traffic patterns or resource spikes.

1Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches.
2Enable Cloudflare or CDN-level DDoS protection.
3Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx.
4Implement rate limiting on HTTP/2 connections at the edge.
5Monitor for traffic spikes and RESET_STREAM frames.
6Consider disabling HTTP/2 on exposed endpoints if not required.

Frequently Asked Questions

What is the CVSS score for CVE-2023-44487?▼

CVE-2023-44487 has a CVSS score of 7.5/10 (high severity). This reflects a significant security risk that should be addressed promptly.

Which versions of HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare) are affected?▼

Affected: All HTTP/2 server implementations (pre-patch). The vulnerability was fixed in: Nginx 1.25.3+, nghttp2 1.57.0+, vendor-specific patches.

How long does it take to fix CVE-2023-44487?▼

For most teams: 15–60 minutes to apply the patch, plus 15 minutes of post-patch verification. Complex multi-service environments may require 2–4 hours including staging validation.

Is CVE-2023-44487 being actively exploited?▼

Check the NVD entry and CISA KEV catalog for exploitation status. As a high-severity vulnerability, treat it as a priority remediation regardless of known exploitation status.

Run Security Check →Browse Runbooks →← All CVE Solutions

This CVE fix guide is based on publicly available security advisories (NVD, vendor bulletins). Always test changes in a staging environment before applying to production. Verify against the official vendor advisory for the most up-to-date guidance.