What is CVE-2023-44487?

The HTTP/2 Rapid Reset Attack exploits the stream cancellation feature to overwhelm servers with a fraction of normal traffic, enabling massive DDoS attacks. Affected virtually all HTTP/2 implementations.

How do I fix CVE-2023-44487?

Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches. Enable Cloudflare or CDN-level DDoS protection. Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx. Implement rate limiting on HTTP/2 connections at the edge. Monitor for traffic spikes and RESET_STREAM frames. Consider disabling HTTP/2 on exposed endpoints if not required.

highCVSS 7.5/10·Published: 2023-10-10·HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare)

How to fix CVE-2023-44487 – Step-by-Step Guide

CVE-2023-44487, known as the HTTP/2 Rapid Reset DDoS Attack, is a high-severity vulnerability (CVSS 7.5) published on October 10, 2023. This critical flaw affects virtually all HTTP/2 server implementations, enabling highly efficient denial-of-service attacks. Immediate action is required to protect your infrastructure.

CVE ID

CVE-2023-44487

Severity

HIGH

CVSS Score

7.5/10

Affected

HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare)

What is HTTP/2 Rapid Reset DDoS Attack?

The HTTP/2 Rapid Reset Attack exploits a flaw in the protocol's stream cancellation mechanism. Attackers repeatedly open and immediately reset numerous HTTP/2 streams within a single connection. This rapid cycle overwhelms server resources, consuming CPU and memory without completing requests, leading to a denial of service.

Affected Versions

All HTTP/2 server implementations (pre-patch)

Fixed In

Nginx 1.25.3+, nghttp2 1.57.0+, vendor-specific patches

Official References

Impact and Risks for your Infrastructure

This vulnerability enables extremely efficient DDoS attacks, allowing attackers to overwhelm servers with minimal resources. Businesses face severe service disruptions, reputational damage, and potential financial losses due to unavailability. Infrastructure can experience significant performance degradation and complete outages.

http2ddosnginxhigh2023

Step-by-Step Mitigation Guide

To mitigate CVE-2023-44487, update all affected HTTP/2 server implementations to their patched versions immediately. For Nginx, upgrade to 1.25.3+ or 1.24.0+. Verify the fix by confirming your server software versions meet or exceed the vendor-recommended patched releases.

1Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches.
2Enable Cloudflare or CDN-level DDoS protection.
3Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx.
4Implement rate limiting on HTTP/2 connections at the edge.
5Monitor for traffic spikes and RESET_STREAM frames.
6Consider disabling HTTP/2 on exposed endpoints if not required.

Frequently Asked Questions

What is the CVSS score for CVE-2023-44487?▼

CVE-2023-44487 has a CVSS score of 7.5/10 (high severity). This reflects a significant security risk that should be addressed promptly.

Which versions of HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare) are affected?▼

Affected: All HTTP/2 server implementations (pre-patch). The vulnerability was fixed in: Nginx 1.25.3+, nghttp2 1.57.0+, vendor-specific patches.

How long does it take to fix CVE-2023-44487?▼

For most teams: 15–60 minutes to apply the patch, plus 15 minutes of post-patch verification. Complex multi-service environments may require 2–4 hours including staging validation.

Is CVE-2023-44487 being actively exploited?▼

Check the NVD entry and CISA KEV catalog for exploitation status. As a high-severity vulnerability, treat it as a priority remediation regardless of known exploitation status.

Run Security Check →Browse Runbooks →← All CVE Solutions

This CVE fix guide is based on publicly available security advisories (NVD, vendor bulletins). Always test changes in a staging environment before applying to production. Verify against the official vendor advisory for the most up-to-date guidance.