CVE-2023-44487

HTTP/2 Rapid Reset: How a Single TCP Connection Can Nuke a Server

Amit Schendel
Amit Schendel
Senior Security Researcher

Dec 31, 2025·11 min read·2 visits

Executive Summary (TL;DR)

A design flaw in the HTTP/2 protocol allows an attacker to open and immediately cancel a massive number of data streams over a single connection. This forces the server to burn CPU and memory on useless setup/teardown work, leading to a complete Denial of Service. Because it's a protocol issue, almost everyone was vulnerable. It has been actively and massively exploited in the wild.

CVE-2023-44487, dubbed 'Rapid Reset,' is a protocol-level vulnerability in HTTP/2 that allows a single client to overwhelm and crash even the most powerful servers. By abusing the stream cancellation mechanism, an attacker can force a server to perform a massive amount of work setting up and tearing down communication streams, while the attacker expends almost no resources. This asymmetry creates a devastating Denial of Service vector that bypasses traditional rate-limiting defenses. The flaw isn't in a specific piece of software, but in the very design of the protocol, leading to a coordinated, internet-wide patching effort affecting nearly every modern web server, CDN, and load balancer.

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Probability
94.40%
Top 6% most exploited

Affected Systems

Any web server, CDN, load balancer, or application implementing the HTTP/2 protocol.

Affected Versions Detail

Product
Affected Versions
Fixed Version
Various HTTP/2 Implementations
Multiple Vendors
All unpatched versions-
AttributeDetail
CWE IDCWE-400
CWE NameUncontrolled Resource Consumption
Attack VectorNetwork
CVSS Score7.5 (High)
EPSS Score0.944 (94.4%)
ImpactDenial of Service
Exploit StatusActive Exploitation
KEV StatusListed in CISA KEV Catalog

MITRE ATT&CK Mapping

T1498Network Denial of Service
Impact
CWE-400
Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource, such as memory, file handles, or network connections. An attacker can exploit this by crafting requests that trigger excessive resource allocation, eventually leading to a denial of service when the resource is exhausted.

Known Exploits & Detection

GitHubProof-of-concept exploit script for demonstrating the HTTP/2 Rapid Reset vulnerability.
GitHubAnother PoC implementation in Go for testing server resilience against CVE-2023-44487.

Vulnerability Timeline

Initial large-scale exploitation campaigns begin, targeting major infrastructure providers.
2023-08-25
Coordinated public disclosure of the vulnerability by multiple vendors.
2023-10-10
CVE-2023-44487 is officially published and added to CISA's KEV catalog.
2023-10-10
Major open-source projects and vendors have patches widely available.
2023-10-11