What is CVE-2023-44487?

The HTTP/2 Rapid Reset Attack exploits the stream cancellation feature to overwhelm servers with a fraction of normal traffic, enabling massive DDoS attacks. Affected virtually all HTTP/2 implementations.

How do I fix CVE-2023-44487?

Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches. Enable Cloudflare or CDN-level DDoS protection. Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx. Implement rate limiting on HTTP/2 connections at the edge. Monitor for traffic spikes and RESET_STREAM frames. Consider disabling HTTP/2 on exposed endpoints if not required.

highCVSS 7.5/10·Published: 2023-10-10·HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare)

How to fix CVE-2023-44487 – Step-by-Step Guide

CVE-2023-44487, known as the HTTP/2 Rapid Reset Attack, is a critical vulnerability impacting virtually all HTTP/2 server implementations. This high-severity DDoS flaw allows attackers to overwhelm servers with minimal resources, posing a significant threat to online services.

CVE ID

CVE-2023-44487

Severity

HIGH

CVSS Score

7.5/10

Affected

HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare)

What is HTTP/2 Rapid Reset DDoS Attack?

The HTTP/2 Rapid Reset Attack exploits a flaw in the protocol's stream cancellation mechanism. Attackers repeatedly open and immediately reset streams within a single connection, bypassing server-side connection limits. This rapid stream cycling consumes server resources disproportionately, leading to denial of service with minimal attacker bandwidth.

Affected Versions

All HTTP/2 server implementations (pre-patch)

Fixed In

Nginx 1.25.3+, nghttp2 1.57.0+, vendor-specific patches

Official References

Impact and Risks for your Infrastructure

This vulnerability enables highly efficient DDoS attacks, capable of overwhelming HTTP/2 servers with minimal attacker resources. Successful exploitation leads to severe service disruption, infrastructure downtime, and potential data loss due to resource exhaustion across web services.

http2ddosnginxhigh2023

Step-by-Step Mitigation Guide

To mitigate CVE-2023-44487, update all HTTP/2 server implementations to patched versions immediately. For Nginx, upgrade to 1.25.3+ or 1.24.0+. Consult your vendor for specific patches for Apache, Node.js, Go, AWS, and Cloudflare. Verify the fix by ensuring your server software reports the updated version number.

1Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches.
2Enable Cloudflare or CDN-level DDoS protection.
3Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx.
4Implement rate limiting on HTTP/2 connections at the edge.
5Monitor for traffic spikes and RESET_STREAM frames.
6Consider disabling HTTP/2 on exposed endpoints if not required.

Frequently Asked Questions

What is the CVSS score for CVE-2023-44487?▼

CVE-2023-44487 has a CVSS score of 7.5/10 (high severity). This reflects a significant security risk that should be addressed promptly.

Which versions of HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare) are affected?▼

Affected: All HTTP/2 server implementations (pre-patch). The vulnerability was fixed in: Nginx 1.25.3+, nghttp2 1.57.0+, vendor-specific patches.

How long does it take to fix CVE-2023-44487?▼

For most teams: 15–60 minutes to apply the patch, plus 15 minutes of post-patch verification. Complex multi-service environments may require 2–4 hours including staging validation.

Is CVE-2023-44487 being actively exploited?▼

Check the NVD entry and CISA KEV catalog for exploitation status. As a high-severity vulnerability, treat it as a priority remediation regardless of known exploitation status.

Run Security Check →Browse Runbooks →← All CVE Solutions

This CVE fix guide is based on publicly available security advisories (NVD, vendor bulletins). Always test changes in a staging environment before applying to production. Verify against the official vendor advisory for the most up-to-date guidance.