GHSA-9wmc-rg4h-28wv: 
vulnerability analysis and mitigation

The HTTP/2 'Rapid Reset' vulnerability (CVE-2023-44487) is a critical security flaw discovered in the HTTP/2 protocol implementation that allows attackers to perform denial-of-service attacks. The vulnerability was disclosed in October 2023 and affects multiple HTTP/2 implementations. The attack peaked in August 2023, with the largest attack surpassing 398 million requests per second (Google Cloud Blog).

The vulnerability exploits HTTP/2's stream multiplexing feature where clients can create and immediately cancel streams using RST_STREAM frames. In a typical HTTP/2 server implementation, the server must perform significant work for canceled requests, such as allocating stream data structures, parsing queries, and header decompression, while the client pays minimal costs. The attack creates an exploitable cost asymmetry between the server and client. The compression allows a high number of HEADERS frames to be sent in a few kilobytes of wire data, causing servers to process them simultaneously (Envoy Advisory).

The attack can cause denial of service through CPU exhaustion, preventing legitimate requests from making progress and resulting in either elevated latency or request timeouts. The vulnerability enables attackers to bypass server concurrent stream limits and create an indefinite number of in-flight requests, limited only by available network bandwidth rather than round-trip time (Google Cloud Blog).

Mitigations include implementing connection and stream timeouts, setting HTTP/2 maximum concurrent streams limit to 100, limiting HTTP/2 initial stream window size to 64 KiB, and initial connection window size to 1 MiB. For some systems, disabling HTTP/2 protocol for downstream connections can serve as a temporary workaround. Organizations should apply available patches and updates immediately. Additional protections include implementing rate limiting on RST_STREAM frames and closing connections when abuse is detected (Envoy Advisory, NGINX Blog).

The vulnerability prompted a coordinated industry response, with major technology companies including Google, Cloudflare, Amazon, and NGINX collaborating on identification and mitigation strategies. Google helped lead a coordinated vulnerability disclosure process, focusing on notifying large-scale implementers of HTTP/2 including infrastructure companies and server software providers (Google Cloud Blog).