CVE-2024-45403: 
NixOS vulnerability analysis and mitigation

CVE-2024-45403 affects h2o, an HTTP server with support for HTTP/1.x, HTTP/2, and HTTP/3. The vulnerability was discovered and disclosed in October 2024, affecting h2o versions between commits 16b13ee and 15ed15a. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, the server might crash due to an assertion failure (GitHub Advisory).

The vulnerability is related to an assertion failure that occurs specifically in the HTTP/3 request handling when requests are cancelled by clients. The issue has been assigned a CVSS v3.1 base score of 7.5 HIGH by NIST and 3.7 LOW by GitHub with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability is classified as CWE-617 (Reachable Assertion) (NVD).

The vulnerability can be exploited by an attacker to mount a Denial-of-Service attack. While the h2o standalone server automatically restarts by default, which minimizes the impact, HTTP requests that were being served concurrently will still be disrupted (GitHub Advisory).

The vulnerability has been patched in commit 1ed32b2. Users of h2o using it as a reverse proxy should upgrade to commit 95e8e17 or above. As an alternative to patching, users can mitigate the issue by disabling HTTP/3. This can be done by removing or commenting out the listen directives using the quic type or attribute (GitHub Advisory).