HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487

Researchers and vendors have disclosed a denial-of-service (DoS) vulnerability in HTTP/2 protocol. The vulnerability (CVE-2023-44487), known as Rapid Reset, has been exploited in the wild in August 2023 through October 2023.

CISA recommends organizations that provide HTTP/2 services apply patches when available and consider configuration changes and other mitigations discussed in the references below. For more information on Rapid Reset, see:

Cloudflare: HTTP/2 Rapid Reset: deconstructing the record-breaking attack
Google: How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack
AWS: CVE-2023-44487 - HTTP/2 Rapid Reset Attack
NGINX: HTTP/2 Rapid Reset Attack Impacting NGINX Products
Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2

Organizations can take proactive steps to reduce the effects of DoS attacks. See the following guidance for more information:

CISA: Understanding and Responding to Distributed Denial-of-Service Attacks
CISA: Additional DDoS Guidance for Federal Agencies

This product is provided subject to this Notification and this Privacy & Use policy.

HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487

Please share your thoughts

CISA and Partners Release Guidance for Civil Society Organizations on Mitigating Cyber Threats with Limited Resources

Apple Releases Security Updates for Multiple Products

CISA Releases Four Industrial Control Systems Advisories

Microsoft Releases May 2024 Security Updates

HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487

Please share your thoughts

Related Advisories

CISA and Partners Release Guidance for Civil Society Organizations on Mitigating Cyber Threats with Limited Resources

Apple Releases Security Updates for Multiple Products

CISA Releases Four Industrial Control Systems Advisories

Microsoft Releases May 2024 Security Updates