CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2023-44482
7.530.15%

HTTP/2 Rapid Reset: The DDoS Bug That Broke the Internet

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·12 min read·10 visits

Active ExploitationCISA KEV Listed

Executive Summary (TL;DR)

A critical vulnerability in the HTTP/2 protocol allows attackers to cause a massive denial-of-service attack. By rapidly opening and then immediately canceling many data streams, an attacker can force a server to expend huge amounts of CPU, knocking it offline. This 'Rapid Reset' attack is cheap to perform and affects nearly every web server running HTTP/2. Patching and rate-limiting are essential for mitigation.

CVE-2023-44482, dubbed 'HTTP/2 Rapid Reset,' is a critical denial-of-service vulnerability affecting the HTTP/2 protocol itself. By exploiting the stream cancellation feature, an attacker can overwhelm virtually any web server with minimal effort. This is not a simple bug in a single application but a fundamental weakness in the web's modern infrastructure, allowing a low-bandwidth attacker to trigger massive, resource-draining DDoS attacks. The flaw lies in the asymmetrical cost of handling stream resets, where a cheap client request forces expensive server-side cleanup, leading to CPU exhaustion and complete service unavailability.

Fix Analysis (2)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Probability
30.15%
Top 3% most exploited

Affected Systems

All major HTTP/2 server and library implementationsnginxApache HTTP ServerMicrosoft IISHAProxyEnvoy ProxyNode.js http2 moduleGo net/http packagenghttp2 library

Affected Versions Detail

Product
Affected Versions
Fixed Version
nginx
F5
< 1.25.31.25.3
Go
Google
< 1.20.10 and < 1.21.31.20.10, 1.21.3
Node.js
OpenJS Foundation
< 20.8.0, < 18.18.020.8.0, 18.18.0
Envoy
Cloud Native Computing Foundation
< 1.27.11.27.1
AttributeDetail
CWE IDCWE-400
CWE NameUncontrolled Resource Consumption
Attack VectorNetwork
CVSS v3.17.5 (High)
ImpactDenial of Service
Exploit StatusActive Exploitation
CISA KEVYes, listed
EPSS Percentile96.53% (as of late 2023)

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
T1498Network Denial of Service
Impact
CWE-400
Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource, which can lead to exhaustion of that resource.

Vulnerability Timeline

Large-scale DDoS attacks begin targeting major cloud providers.
2023-08-25
Coordinated public disclosure of the vulnerability by multiple vendors.
2023-10-10
CVE-2023-44487 assigned (later used as canonical CVE for tracking).
2023-10-10
Added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
2023-10-10
Major software vendors release security patches and advisories.
2023-10-11

References & Sources

  • [1]NVD - CVE-2023-44487 (Canonical CVE)
  • [2]CISA Advisory on HTTP/2 Rapid Reset
  • [3]Cloudflare Technical Breakdown of the Attack
  • [4]Google Cloud Blog on the Novel DDoS Attack

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.