What is CVE-2023-44487?

The HTTP/2 Rapid Reset Attack exploits the stream cancellation feature to overwhelm servers with a fraction of normal traffic, enabling massive DDoS attacks. Affected virtually all HTTP/2 implementations.

How do I fix CVE-2023-44487?

Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches. Enable Cloudflare or CDN-level DDoS protection. Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx. Implement rate limiting on HTTP/2 connections at the edge. Monitor for traffic spikes and RESET_STREAM frames. Consider disabling HTTP/2 on exposed endpoints if not required.

highCVSS 7.5/10·Published: 2023-10-10·HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare)

How to fix CVE-2023-44487 – Step-by-Step Guide

CVE-2023-44487, known as the HTTP/2 Rapid Reset DDoS Attack, is a high-severity vulnerability (CVSS 7.5) published on October 10, 2023. This critical flaw enables attackers to launch highly efficient denial-of-service attacks against HTTP/2 servers. It affects virtually all HTTP/2 implementations.

CVE ID

CVE-2023-44487

Severity

HIGH

CVSS Score

7.5/10

Affected

HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare)

What is HTTP/2 Rapid Reset DDoS Attack?

The HTTP/2 Rapid Reset Attack exploits a flaw in the protocol's stream cancellation mechanism. Attackers rapidly open and reset numerous streams within a single HTTP/2 connection. This overwhelms server resources by forcing excessive processing of stream state changes, leading to a denial of service with minimal attacker bandwidth.

Affected Versions

All HTTP/2 server implementations (pre-patch)

Fixed In

Nginx 1.25.3+, nghttp2 1.57.0+, vendor-specific patches

Official References

Impact and Risks for your Infrastructure

This vulnerability enables highly efficient DDoS attacks, allowing attackers to overwhelm server infrastructure with minimal resources. Businesses face significant service disruptions, potential data loss from overloaded systems, and reputational damage due to prolonged outages. The high CVSS score reflects its critical potential for widespread impact.

http2ddosnginxhigh2023

Step-by-Step Mitigation Guide

Immediately update all HTTP/2 server implementations to patched versions. For Nginx, upgrade to 1.25.3+. For other vendors like Apache, Node.js, Go, AWS, and Cloudflare, apply their specific security updates. Verify the fix by confirming your server's HTTP/2 library or software version matches the patched release.

1Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches.
2Enable Cloudflare or CDN-level DDoS protection.
3Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx.
4Implement rate limiting on HTTP/2 connections at the edge.
5Monitor for traffic spikes and RESET_STREAM frames.
6Consider disabling HTTP/2 on exposed endpoints if not required.

Frequently Asked Questions

What is the CVSS score for CVE-2023-44487?▼

CVE-2023-44487 has a CVSS score of 7.5/10 (high severity). This reflects a significant security risk that should be addressed promptly.

Which versions of HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare) are affected?▼

Affected: All HTTP/2 server implementations (pre-patch). The vulnerability was fixed in: Nginx 1.25.3+, nghttp2 1.57.0+, vendor-specific patches.

How long does it take to fix CVE-2023-44487?▼

For most teams: 15–60 minutes to apply the patch, plus 15 minutes of post-patch verification. Complex multi-service environments may require 2–4 hours including staging validation.

Is CVE-2023-44487 being actively exploited?▼

Check the NVD entry and CISA KEV catalog for exploitation status. As a high-severity vulnerability, treat it as a priority remediation regardless of known exploitation status.

Run Security Check →Browse Runbooks →← All CVE Solutions

This CVE fix guide is based on publicly available security advisories (NVD, vendor bulletins). Always test changes in a staging environment before applying to production. Verify against the official vendor advisory for the most up-to-date guidance.