CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2023-44482

HTTP/2 Rapid Reset: The DDoS Bug That Broke the Internet

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·12 min read·33 visits

Executive Summary (TL;DR)

A critical vulnerability in the HTTP/2 protocol allows attackers to cause a massive denial-of-service attack. By rapidly opening and then immediately canceling many data streams, an attacker can force a server to expend huge amounts of CPU, knocking it offline. This 'Rapid Reset' attack is cheap to perform and affects nearly every web server running HTTP/2. Patching and rate-limiting are essential for mitigation.

CVE-2023-44482, dubbed 'HTTP/2 Rapid Reset,' is a critical denial-of-service vulnerability affecting the HTTP/2 protocol itself. By exploiting the stream cancellation feature, an attacker can overwhelm virtually any web server with minimal effort. This is not a simple bug in a single application but a fundamental weakness in the web's modern infrastructure, allowing a low-bandwidth attacker to trigger massive, resource-draining DDoS attacks. The flaw lies in the asymmetrical cost of handling stream resets, where a cheap client request forces expensive server-side cleanup, leading to CPU exhaustion and complete service unavailability.

Fix Analysis (2)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Probability
30.15%
Top 3% most exploited

Affected Systems

All major HTTP/2 server and library implementationsnginxApache HTTP ServerMicrosoft IISHAProxyEnvoy ProxyNode.js http2 moduleGo net/http packagenghttp2 library

Affected Versions Detail

Product
Affected Versions
Fixed Version
nginx
F5
< 1.25.31.25.3
Go
Google
< 1.20.10 and < 1.21.31.20.10, 1.21.3
Node.js
OpenJS Foundation
< 20.8.0, < 18.18.020.8.0, 18.18.0
Envoy
Cloud Native Computing Foundation
< 1.27.11.27.1
AttributeDetail
CWE IDCWE-400
CWE NameUncontrolled Resource Consumption
Attack VectorNetwork
CVSS v3.17.5 (High)
ImpactDenial of Service
Exploit StatusActive Exploitation
CISA KEVYes, listed
EPSS Percentile96.53% (as of late 2023)

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
T1498Network Denial of Service
Impact
CWE-400
Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource, which can lead to exhaustion of that resource.

Vulnerability Timeline

Large-scale DDoS attacks begin targeting major cloud providers.
2023-08-25
Coordinated public disclosure of the vulnerability by multiple vendors.
2023-10-10
CVE-2023-44487 assigned (later used as canonical CVE for tracking).
2023-10-10
Added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
2023-10-10
Major software vendors release security patches and advisories.
2023-10-11

References & Sources

  • [1]NVD - CVE-2023-44487 (Canonical CVE)
  • [2]CISA Advisory on HTTP/2 Rapid Reset
  • [3]Cloudflare Technical Breakdown of the Attack
  • [4]Google Cloud Blog on the Novel DDoS Attack

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 9 hours ago•GHSA-VJC7-JRH9-9J86
10.0

Unauthenticated CRUD and Sensitive Data Exposure in 9Router API Endpoints

An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.

Amit Schendel
Amit Schendel
8 views•5 min read
•about 10 hours ago•CVE-2026-55790
7.4

CVE-2026-55790: DOM-Based Cross-Site Scripting in Craft CMS Support Widget

A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.

Alon Barad
Alon Barad
8 views•7 min read
•about 10 hours ago•CVE-2026-55793
5.9

CVE-2026-55793: Stored DOM-Based Cross-Site Scripting in Craft CMS ElementTableSorter

CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.

Alon Barad
Alon Barad
10 views•8 min read
•about 11 hours ago•CVE-2026-55794
8.7

CVE-2026-55794: Authenticated Remote Code Execution via Template Injection in Craft CMS

Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 11 hours ago•GHSA-CGFV-JRFP-2R7V
8.5

GHSA-cgfv-jrfp-2r7v: Authenticated SQL Injection in OpenRemote Datapoint Crosstab Export

An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.

Amit Schendel
Amit Schendel
5 views•5 min read
•about 12 hours ago•GHSA-QRWJ-VH9X-GW5V
8.0

GHSA-QRWJ-VH9X-GW5V: Cross-Agent Server-Side Request Forgery and Remote Code Execution in Coder Workspace Agent

An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.

Amit Schendel
Amit Schendel
6 views•5 min read