GHSA-8r5v-vm4m-4g25: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-8r5v-vm4m-4g25) affects the h2 Rust crate, which is an HTTP/2 implementation. Discovered and disclosed on January 17, 2024, this resource exhaustion vulnerability can lead to Denial of Service (DoS) attacks. The affected versions are < 0.3.24 and >= 0.4.0, < 0.4.2, with patches available in versions 0.3.24 and 0.4.2 (GitHub Advisory, RustSec Advisory).

The vulnerability allows an attacker with an HTTP/2 connection to send a steady stream of invalid frames, forcing the generation of reset frames on the victim endpoint. By closing their receive window, the attacker can force these resets to be queued in an unbounded fashion. This unbounded queuing leads to Out Of Memory (OOM) conditions and high CPU usage on the target system (RustSec Advisory).

When successfully exploited, this vulnerability can cause significant resource exhaustion on affected systems, leading to Out Of Memory (OOM) conditions and high CPU usage. This can effectively result in a Denial of Service (DoS), potentially making the service unavailable to legitimate users (GitHub Advisory).

The vulnerability has been patched in h2 versions 0.3.24 and 0.4.2. The fix implements a limit on the total number of internal error resets emitted before the connection is closed, preventing the unbounded queuing of reset frames. Users should upgrade to these patched versions: ^0.3.24 OR >=0.4.2. The fix was implemented in PR #737, which adds a configurable threshold (defaulting to 1024) after which connections generating excessive resets are terminated (GitHub PR).

The vulnerability has gained attention in the Rust ecosystem, with multiple projects and organizations quickly responding to patch their dependencies. Several high-profile projects including MystenLabs/sui, dragonflyoss/nydus, and others have issued updates to address this vulnerability, demonstrating the security-conscious nature of the Rust community (GitHub PR).