Headline
GHSA-vx74-f528-fxqg: github.com/nghttp2/nghttp2 has HTTP/2 Rapid Reset
Impact
Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service.
See https://www.cve.org/CVERecord?id=CVE-2023-44487 for details.
Patches
nghttp2 v1.57.0 mitigates this vulnerability by default.
Workarounds
If upgrading to nghttp2 v1.57.0 is not possible, implement nghttp2_on_frame_recv_callback, and check and count RST_STREAM frames. If excessive number of RST_STREAM are received, then take action, such as dropping connection silently, or call nghttp2_submit_goaway and gracefully terminate the connection.
References
The following commit mitigates this vulnerability:
- https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832
Package
gomod github.com/nghttp2/nghttp2 (Go)
Affected versions
< 1.57.0
Patched versions
1.57.0
Description
Impact
Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service.
See https://www.cve.org/CVERecord?id=CVE-2023-44487 for details.
Patches
nghttp2 v1.57.0 mitigates this vulnerability by default.
Workarounds
If upgrading to nghttp2 v1.57.0 is not possible, implement nghttp2_on_frame_recv_callback, and check and count RST_STREAM frames. If excessive number of RST_STREAM are received, then take action, such as dropping connection silently, or call nghttp2_submit_goaway and gracefully terminate the connection.
References
The following commit mitigates this vulnerability:
- nghttp2/nghttp2@72b4af6
References
- GHSA-vx74-f528-fxqg
- nghttp2/nghttp2@72b4af6
- https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
tatsuhiro-t published to nghttp2/nghttp2
Oct 10, 2023
Published to the GitHub Advisory Database
Oct 10, 2023
Reviewed
Oct 10, 2023
Last updated
Oct 10, 2023