CVE-2023-44487

Name: CVE-2023-44487
Creator: NVD / NIST
Published: 2023-10-10T14:15:10.883+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10Actively ExploitedEPSS 100.00%

Last modified Jun 17, 2026

CVE-2023-44487 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.. CISA has confirmed active exploitation in the wild. EPSS estimates a 100.00% chance of exploitation in the next 30 days.

Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

100.00%

100.0th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Oct 31, 2023.

Weakness Enumeration

CWE-400

Affected Software

Vendor	Product	Versions	Update
Siemens	Simatic S7-1500 Cpu 1518f-4 Pn\/Dp Mfp Firmware	>= 3.1.5	—
Siemens	Sinec Ins	< 1.0	—
Siemens	Sinec Ins	1.0	—
Siemens	Sinec Nms	< 3.0	—
Siemens	St7 Scadaconnect	< 1.1	—
Siemens	Ruggedcom Ape1808 Firmware	All versions	—
Siemens	Simatic S7-1500 Cpu 1518-4 Pn\/Dp Mfp Firmware	>= 3.1.5	—
Siemens	Siplus S7-1500 Cpu 1518-4 Pn\/Dp Mfp Firmware	>= 3.1.5	—
Ietf	Http	2.0	—
Nghttp2	Nghttp2	< 1.57.0	—
Netty	Netty	< 4.1.100	—
Envoyproxy	Envoy	1.24.10	—
Envoyproxy	Envoy	1.25.9	—
Envoyproxy	Envoy	1.26.4	—
Envoyproxy	Envoy	1.27.0	—
Eclipse	Jetty	< 9.4.53	—
Eclipse	Jetty	>= 10.0.0, < 10.0.17	—
Eclipse	Jetty	>= 11.0.0, < 11.0.17	—
Eclipse	Jetty	>= 12.0.0, < 12.0.2	—
Caddyserver	Caddy	< 2.7.5	—
Golang	Go	< 1.20.10	—
Golang	Go	>= 1.21.0, < 1.21.3	—
Golang	Http2	< 0.17.0	—
Golang	Networking	< 0.17.0	—
F5	Big-Ip Access Policy Manager	>= 13.1.0, <= 13.1.5	—
F5	Big-Ip Access Policy Manager	>= 14.1.0, <= 14.1.5	—
F5	Big-Ip Access Policy Manager	>= 15.1.0, <= 15.1.10	—
F5	Big-Ip Access Policy Manager	>= 16.1.0, <= 16.1.4	—
F5	Big-Ip Access Policy Manager	17.1.0	—
F5	Big-Ip Advanced Firewall Manager	>= 13.1.0, <= 13.1.5	—
F5	Big-Ip Advanced Firewall Manager	>= 14.1.0, <= 14.1.5	—
F5	Big-Ip Advanced Firewall Manager	>= 15.1.0, <= 15.1.10	—
F5	Big-Ip Advanced Firewall Manager	>= 16.1.0, <= 16.1.4	—
F5	Big-Ip Advanced Firewall Manager	17.1.0	—
F5	Big-Ip Advanced Web Application Firewall	>= 13.1.0, <= 13.1.5	—
F5	Big-Ip Advanced Web Application Firewall	>= 14.1.0, <= 14.1.5	—
F5	Big-Ip Advanced Web Application Firewall	>= 15.1.0, <= 15.1.10	—
F5	Big-Ip Advanced Web Application Firewall	>= 16.1.0, <= 16.1.4	—
F5	Big-Ip Advanced Web Application Firewall	17.1.0	—
F5	Big-Ip Analytics	>= 13.1.0, <= 13.1.5	—
F5	Big-Ip Analytics	>= 14.1.0, <= 14.1.5	—
F5	Big-Ip Analytics	>= 15.1.0, <= 15.1.10	—
F5	Big-Ip Analytics	>= 16.1.0, <= 16.1.4	—
F5	Big-Ip Analytics	17.1.0	—
F5	Big-Ip Application Acceleration Manager	>= 13.1.0, <= 13.1.5	—
F5	Big-Ip Application Acceleration Manager	>= 14.1.0, <= 14.1.5	—
F5	Big-Ip Application Acceleration Manager	>= 15.1.0, <= 15.1.10	—
F5	Big-Ip Application Acceleration Manager	>= 16.1.0, <= 16.1.4	—
F5	Big-Ip Application Acceleration Manager	17.1.0	—
F5	Big-Ip Application Security Manager	>= 13.1.0, <= 13.1.5	—

Showing 50 of 284 affected configurations. See NVD for the full list.

References

http://www.openwall.com/lists/oss-security/2023/10/10/6Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/10/7Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/13/4Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/13/9Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/18/4Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/18/8Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/19/6Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/20/8Mailing List, Third Party Advisory
https://access.redhat.com/security/cve/cve-2023-44487Vendor Advisory
https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/Press/Media Coverage, Third Party Advisory
https://aws.amazon.com/security/security-bulletins/AWS-2023-011/Third Party Advisory
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/Technical Description, Vendor Advisory
https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/Third Party Advisory, Vendor Advisory
https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/Vendor Advisory
https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attackPress/Media Coverage, Third Party Advisory
https://blog.vespa.ai/cve-2023-44487/Vendor Advisory
https://bugzilla.proxmox.com/show_bug.cgi?id=4988Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2242803Issue Tracking, Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1216123Issue Tracking, Vendor Advisory
https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9Mailing List, Patch, Vendor Advisory
https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/Technical Description, Vendor Advisory
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attackTechnical Description, Vendor Advisory
https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125Vendor Advisory
https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715Third Party Advisory
https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cveBroken Link
https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764Vendor Advisory
https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088Issue Tracking, Patch
https://github.com/Azure/AKS/issues/3947Issue Tracking
https://github.com/Kong/kong/discussions/11741Issue Tracking
https://github.com/advisories/GHSA-qppj-fm5r-hxr3Vendor Advisory
https://github.com/advisories/GHSA-vx74-f528-fxqgMitigation, Patch, Vendor Advisory
https://github.com/advisories/GHSA-xpw8-rcwv-8f8pPatch, Vendor Advisory
https://github.com/akka/akka-http/issues/4323Issue Tracking
https://github.com/alibaba/tengine/issues/1872Issue Tracking
https://github.com/apache/apisix/issues/10320Issue Tracking
https://github.com/apache/httpd-site/pull/10Issue Tracking
https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113Product
https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2Product, Third Party Advisory
https://github.com/apache/trafficserver/pull/10564Issue Tracking, Patch
https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487Vendor Advisory
https://github.com/bcdannyboy/CVE-2023-44487Third Party Advisory
https://github.com/caddyserver/caddy/issues/5877Issue Tracking, Vendor Advisory
https://github.com/caddyserver/caddy/releases/tag/v2.7.5Release Notes, Third Party Advisory
https://github.com/dotnet/announcements/issues/277Issue Tracking, Mitigation, Vendor Advisory
https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73Product, Release Notes
https://github.com/eclipse/jetty.project/issues/10679Issue Tracking
https://github.com/envoyproxy/envoy/pull/30055Issue Tracking, Patch
https://github.com/etcd-io/etcd/issues/16740Issue Tracking, Patch
https://github.com/facebook/proxygen/pull/466Issue Tracking, Patch
https://github.com/golang/go/issues/63417Issue Tracking
https://github.com/grpc/grpc-go/pull/6703Issue Tracking, Patch
https://github.com/grpc/grpc/releases/tag/v1.59.2Mailing List
https://github.com/h2o/h2o/pull/3291Issue Tracking, Patch
https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqfVendor Advisory
https://github.com/haproxy/haproxy/issues/2312Issue Tracking
https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244Product
https://github.com/junkurihara/rust-rpxy/issues/97Issue Tracking
https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1Patch
https://github.com/kazu-yamamoto/http2/issues/93Issue Tracking
https://github.com/kubernetes/kubernetes/pull/121120Issue Tracking, Patch
https://github.com/line/armeria/pull/5232Issue Tracking, Patch
https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632Patch
https://github.com/micrictor/http2-rst-streamExploit, Third Party Advisory
https://github.com/microsoft/CBL-Mariner/pull/6381Issue Tracking, Patch
https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61Patch
https://github.com/nghttp2/nghttp2/pull/1961Issue Tracking, Patch
https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0Release Notes
https://github.com/ninenines/cowboy/issues/1615Issue Tracking
https://github.com/nodejs/node/pull/50121Issue Tracking
https://github.com/openresty/openresty/issues/930Issue Tracking
https://github.com/opensearch-project/data-prepper/issues/3474Issue Tracking, Patch
https://github.com/oqtane/oqtane.framework/discussions/3367Issue Tracking
https://github.com/projectcontour/contour/pull/5826Issue Tracking, Patch
https://github.com/tempesta-tech/tempesta/issues/1986Issue Tracking
https://github.com/varnishcache/varnish-cache/issues/3996Issue Tracking
https://groups.google.com/g/golang-announce/c/iNNxDTCjZvoMailing List, Release Notes, Vendor Advisory
https://istio.io/latest/news/security/istio-security-2023-004/Vendor Advisory
https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/Vendor Advisory
https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87qMailing List
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00023.htmlMailing List
https://lists.debian.org/debian-lts-announce/2023/10/msg00024.htmlMailing List
https://lists.debian.org/debian-lts-announce/2023/10/msg00045.htmlMailing List
https://lists.debian.org/debian-lts-announce/2023/10/msg00047.htmlMailing List
https://lists.debian.org/debian-lts-announce/2023/11/msg00001.htmlMailing List
https://lists.debian.org/debian-lts-announce/2023/11/msg00012.htmlMailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/Mailing List
https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.htmlMailing List, Third Party Advisory
https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.htmlMailing List, Patch, Third Party Advisory
https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.htmlThird Party Advisory
https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/Patch, Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487Mitigation, Patch, Vendor Advisory
https://my.f5.com/manage/s/article/K000137106Vendor Advisory
https://netty.io/news/2023/10/10/4-1-100-Final.htmlRelease Notes, Vendor Advisory
https://news.ycombinator.com/item?id=37830987Issue Tracking
https://news.ycombinator.com/item?id=37830998Issue Tracking, Press/Media Coverage
https://news.ycombinator.com/item?id=37831062Issue Tracking
https://news.ycombinator.com/item?id=37837043Issue Tracking
https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/Third Party Advisory
https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffectedThird Party Advisory
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZVendor Advisory
https://security.gentoo.org/glsa/202311-09Third Party Advisory
https://security.netapp.com/advisory/ntap-20231016-0001/Third Party Advisory
https://security.netapp.com/advisory/ntap-20240426-0007/Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/Exploit, Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0007/Third Party Advisory
https://security.paloaltonetworks.com/CVE-2023-44487Vendor Advisory
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14Release Notes
https://ubuntu.com/security/CVE-2023-44487Vendor Advisory
https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/Third Party Advisory
https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487Third Party Advisory, US Government Resource
https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-eventPress/Media Coverage, Third Party Advisory
https://www.debian.org/security/2023/dsa-5521Mailing List, Vendor Advisory
https://www.debian.org/security/2023/dsa-5522Mailing List, Vendor Advisory
https://www.debian.org/security/2023/dsa-5540Mailing List, Third Party Advisory
https://www.debian.org/security/2023/dsa-5549Mailing List, Third Party Advisory
https://www.debian.org/security/2023/dsa-5558Mailing List, Third Party Advisory
https://www.debian.org/security/2023/dsa-5570Third Party Advisory
https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487Third Party Advisory, Vendor Advisory
https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/Vendor Advisory
https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/Mitigation, Vendor Advisory
https://www.openwall.com/lists/oss-security/2023/10/10/6Mailing List, Third Party Advisory
https://www.phoronix.com/news/HTTP2-Rapid-Reset-AttackPress/Media Coverage
https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/Press/Media Coverage, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/13/4Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/13/9Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/18/4Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/18/8Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/19/6Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/20/8Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/08/13/6Third Party Advisory
https://access.redhat.com/security/cve/cve-2023-44487Vendor Advisory
https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/Press/Media Coverage, Third Party Advisory
https://aws.amazon.com/security/security-bulletins/AWS-2023-011/Third Party Advisory
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/Technical Description, Vendor Advisory
https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/Third Party Advisory, Vendor Advisory
https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/Vendor Advisory
https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attackPress/Media Coverage, Third Party Advisory
https://blog.vespa.ai/cve-2023-44487/Vendor Advisory
https://bugzilla.proxmox.com/show_bug.cgi?id=4988Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2242803Issue Tracking, Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1216123Issue Tracking, Vendor Advisory
https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9Mailing List, Patch, Vendor Advisory
https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/Technical Description, Vendor Advisory
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attackTechnical Description, Vendor Advisory
https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125Vendor Advisory
https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715Third Party Advisory
https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cveBroken Link
https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764Vendor Advisory
https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088Issue Tracking, Patch
https://github.com/Azure/AKS/issues/3947Issue Tracking
https://github.com/Kong/kong/discussions/11741Issue Tracking
https://github.com/advisories/GHSA-qppj-fm5r-hxr3Vendor Advisory
https://github.com/advisories/GHSA-vx74-f528-fxqgMitigation, Patch, Vendor Advisory
https://github.com/advisories/GHSA-xpw8-rcwv-8f8pPatch, Vendor Advisory
https://github.com/akka/akka-http/issues/4323Issue Tracking
https://github.com/alibaba/tengine/issues/1872Issue Tracking
https://github.com/apache/apisix/issues/10320Issue Tracking
https://github.com/apache/httpd-site/pull/10Issue Tracking
https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113Product
https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2Product, Third Party Advisory
https://github.com/apache/trafficserver/pull/10564Issue Tracking, Patch
https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487Vendor Advisory
https://github.com/bcdannyboy/CVE-2023-44487Third Party Advisory
https://github.com/caddyserver/caddy/issues/5877Issue Tracking, Vendor Advisory
https://github.com/caddyserver/caddy/releases/tag/v2.7.5Release Notes, Third Party Advisory
https://github.com/dotnet/announcements/issues/277Issue Tracking, Mitigation, Vendor Advisory
https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73Product, Release Notes
https://github.com/eclipse/jetty.project/issues/10679Issue Tracking
https://github.com/envoyproxy/envoy/pull/30055Issue Tracking, Patch
https://github.com/etcd-io/etcd/issues/16740Issue Tracking, Patch
https://github.com/facebook/proxygen/pull/466Issue Tracking, Patch
https://github.com/golang/go/issues/63417Issue Tracking
https://github.com/grpc/grpc-go/pull/6703Issue Tracking, Patch
https://github.com/h2o/h2o/pull/3291Issue Tracking, Patch
https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqfVendor Advisory
https://github.com/haproxy/haproxy/issues/2312Issue Tracking
https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244Product
https://github.com/junkurihara/rust-rpxy/issues/97Issue Tracking
https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1Patch
https://github.com/kazu-yamamoto/http2/issues/93Issue Tracking
https://github.com/kubernetes/kubernetes/pull/121120Issue Tracking, Patch
https://github.com/line/armeria/pull/5232Issue Tracking, Patch
https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632Patch
https://github.com/micrictor/http2-rst-streamExploit, Third Party Advisory
https://github.com/microsoft/CBL-Mariner/pull/6381Issue Tracking, Patch
https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61Patch
https://github.com/nghttp2/nghttp2/pull/1961Issue Tracking, Patch
https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0Release Notes
https://github.com/ninenines/cowboy/issues/1615Issue Tracking
https://github.com/nodejs/node/pull/50121Issue Tracking
https://github.com/openresty/openresty/issues/930Issue Tracking
https://github.com/opensearch-project/data-prepper/issues/3474Issue Tracking, Patch
https://github.com/oqtane/oqtane.framework/discussions/3367Issue Tracking
https://github.com/projectcontour/contour/pull/5826Issue Tracking, Patch
https://github.com/tempesta-tech/tempesta/issues/1986Issue Tracking
https://github.com/varnishcache/varnish-cache/issues/3996Issue Tracking
https://groups.google.com/g/golang-announce/c/iNNxDTCjZvoMailing List, Release Notes, Vendor Advisory
https://istio.io/latest/news/security/istio-security-2023-004/Vendor Advisory
https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/Vendor Advisory
https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87qMailing List
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00023.htmlMailing List
https://lists.debian.org/debian-lts-announce/2023/10/msg00024.htmlMailing List
https://lists.debian.org/debian-lts-announce/2023/10/msg00045.htmlMailing List
https://lists.debian.org/debian-lts-announce/2023/10/msg00047.htmlMailing List
https://lists.debian.org/debian-lts-announce/2023/11/msg00001.htmlMailing List
https://lists.debian.org/debian-lts-announce/2023/11/msg00012.htmlMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/Mailing List, Third Party Advisory
https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.htmlMailing List, Third Party Advisory
https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.htmlMailing List, Patch, Third Party Advisory
https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.htmlThird Party Advisory
https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/Patch, Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487Mitigation, Patch, Vendor Advisory
https://my.f5.com/manage/s/article/K000137106Vendor Advisory
https://netty.io/news/2023/10/10/4-1-100-Final.htmlRelease Notes, Vendor Advisory
https://news.ycombinator.com/item?id=37830987Issue Tracking
https://news.ycombinator.com/item?id=37830998Issue Tracking, Press/Media Coverage
https://news.ycombinator.com/item?id=37831062Issue Tracking
https://news.ycombinator.com/item?id=37837043Issue Tracking
https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/Third Party Advisory
https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffectedThird Party Advisory
https://security.gentoo.org/glsa/202311-09Third Party Advisory
https://security.netapp.com/advisory/ntap-20231016-0001/Third Party Advisory
https://security.netapp.com/advisory/ntap-20240426-0007/Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/Exploit, Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0007/Third Party Advisory
https://security.paloaltonetworks.com/CVE-2023-44487Vendor Advisory
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14Release Notes
https://ubuntu.com/security/CVE-2023-44487Vendor Advisory
https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/Third Party Advisory
https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487Third Party Advisory, US Government Resource
https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-eventPress/Media Coverage, Third Party Advisory
https://www.debian.org/security/2023/dsa-5521Mailing List, Vendor Advisory
https://www.debian.org/security/2023/dsa-5522Mailing List, Vendor Advisory
https://www.debian.org/security/2023/dsa-5540Mailing List, Third Party Advisory
https://www.debian.org/security/2023/dsa-5549Mailing List, Third Party Advisory
https://www.debian.org/security/2023/dsa-5558Mailing List, Third Party Advisory
https://www.debian.org/security/2023/dsa-5570Third Party Advisory
https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487Third Party Advisory, Vendor Advisory
https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/Vendor Advisory
https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/Mitigation, Vendor Advisory
https://www.openwall.com/lists/oss-security/2023/10/10/6Mailing List, Third Party Advisory
https://www.phoronix.com/news/HTTP2-Rapid-Reset-AttackPress/Media Coverage
https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/Press/Media Coverage, Third Party Advisory
https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-causeThird Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-082556.htmlThird Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-341067.htmlThird Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-784301.htmlThird Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-832273.htmlThird Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-915275.htmlThird Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487US Government Resource

Timeline

Published: Oct 10, 2023
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2023-44487?

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

How severe is CVE-2023-44487?

CVE-2023-44487 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 100.00% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2023-44487?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-44487?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST