CVE-2023-44482

HTTP/2 Rapid Reset: The DDoS Bug That Broke the Internet

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·12 min read·8 visits

Executive Summary (TL;DR)

A critical vulnerability in the HTTP/2 protocol allows attackers to cause a massive denial-of-service attack. By rapidly opening and then immediately canceling many data streams, an attacker can force a server to expend huge amounts of CPU, knocking it offline. This 'Rapid Reset' attack is cheap to perform and affects nearly every web server running HTTP/2. Patching and rate-limiting are essential for mitigation.

CVE-2023-44482, dubbed 'HTTP/2 Rapid Reset,' is a critical denial-of-service vulnerability affecting the HTTP/2 protocol itself. By exploiting the stream cancellation feature, an attacker can overwhelm virtually any web server with minimal effort. This is not a simple bug in a single application but a fundamental weakness in the web's modern infrastructure, allowing a low-bandwidth attacker to trigger massive, resource-draining DDoS attacks. The flaw lies in the asymmetrical cost of handling stream resets, where a cheap client request forces expensive server-side cleanup, leading to CPU exhaustion and complete service unavailability.

Fix Analysis (2)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Probability
30.15%
Top 3% most exploited

Affected Systems

All major HTTP/2 server and library implementationsnginxApache HTTP ServerMicrosoft IISHAProxyEnvoy ProxyNode.js http2 moduleGo net/http packagenghttp2 library

Affected Versions Detail

Product
Affected Versions
Fixed Version
nginx
F5
< 1.25.31.25.3
Go
Google
< 1.20.10 and < 1.21.31.20.10, 1.21.3
Node.js
OpenJS Foundation
< 20.8.0, < 18.18.020.8.0, 18.18.0
Envoy
Cloud Native Computing Foundation
< 1.27.11.27.1
AttributeDetail
CWE IDCWE-400
CWE NameUncontrolled Resource Consumption
Attack VectorNetwork
CVSS v3.17.5 (High)
ImpactDenial of Service
Exploit StatusActive Exploitation
CISA KEVYes, listed
EPSS Percentile96.53% (as of late 2023)

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
T1498Network Denial of Service
Impact
CWE-400
Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource, which can lead to exhaustion of that resource.

Vulnerability Timeline

Large-scale DDoS attacks begin targeting major cloud providers.
2023-08-25
Coordinated public disclosure of the vulnerability by multiple vendors.
2023-10-10
CVE-2023-44487 assigned (later used as canonical CVE for tracking).
2023-10-10
Added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
2023-10-10
Major software vendors release security patches and advisories.
2023-10-11

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.