What is CVE-2023-44487?

The HTTP/2 Rapid Reset Attack exploits the stream cancellation feature to overwhelm servers with a fraction of normal traffic, enabling massive DDoS attacks. Affected virtually all HTTP/2 implementations.

How do I fix CVE-2023-44487?

Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches. Enable Cloudflare or CDN-level DDoS protection. Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx. Implement rate limiting on HTTP/2 connections at the edge. Monitor for traffic spikes and RESET_STREAM frames. Consider disabling HTTP/2 on exposed endpoints if not required.

highCVSS 7.5/10·Published: 2023-10-10·HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare)

How to fix CVE-2023-44487 – Step-by-Step Guide

CVE-2023-44487, known as the HTTP/2 Rapid Reset DDoS Attack, is a high-severity vulnerability published on October 10, 2023. This critical flaw affects virtually all HTTP/2 server implementations. It enables attackers to launch highly efficient denial-of-service attacks.

CVE ID

CVE-2023-44487

Severity

HIGH

CVSS Score

7.5/10

Affected

HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare)

What is HTTP/2 Rapid Reset DDoS Attack?

The HTTP/2 Rapid Reset Attack exploits a flaw in the protocol's stream cancellation mechanism. Attackers send a request, immediately cancel it, and repeat this thousands of times per connection. This rapid stream creation and reset exhausts server resources, leading to a denial of service.

Affected Versions

All HTTP/2 server implementations (pre-patch)

Fixed In

Nginx 1.25.3+, nghttp2 1.57.0+, vendor-specific patches

Official References

Impact and Risks for your Infrastructure

This vulnerability allows attackers to launch devastating DDoS attacks with minimal resources, potentially taking down critical services. Businesses face significant operational disruption, revenue loss, and reputational damage due to service unavailability. Infrastructure can be overwhelmed, leading to costly recovery efforts.

http2ddosnginxhigh2023

Step-by-Step Mitigation Guide

To mitigate CVE-2023-44487, update your HTTP/2 server implementations to the latest patched versions immediately. For Nginx, upgrade to 1.25.3+ or 1.24.0+. Consult vendor advisories for Apache, Node.js, and others. Verify the fix by confirming your server's HTTP/2 library version is patched.

1Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches.
2Enable Cloudflare or CDN-level DDoS protection.
3Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx.
4Implement rate limiting on HTTP/2 connections at the edge.
5Monitor for traffic spikes and RESET_STREAM frames.
6Consider disabling HTTP/2 on exposed endpoints if not required.

Frequently Asked Questions

What is the CVSS score for CVE-2023-44487?▼

CVE-2023-44487 has a CVSS score of 7.5/10 (high severity). This reflects a significant security risk that should be addressed promptly.

Which versions of HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare) are affected?▼

Affected: All HTTP/2 server implementations (pre-patch). The vulnerability was fixed in: Nginx 1.25.3+, nghttp2 1.57.0+, vendor-specific patches.

How long does it take to fix CVE-2023-44487?▼

For most teams: 15–60 minutes to apply the patch, plus 15 minutes of post-patch verification. Complex multi-service environments may require 2–4 hours including staging validation.

Is CVE-2023-44487 being actively exploited?▼

Check the NVD entry and CISA KEV catalog for exploitation status. As a high-severity vulnerability, treat it as a priority remediation regardless of known exploitation status.

Run Security Check →Browse Runbooks →← All CVE Solutions

This CVE fix guide is based on publicly available security advisories (NVD, vendor bulletins). Always test changes in a staging environment before applying to production. Verify against the official vendor advisory for the most up-to-date guidance.