What is the CVSS score of CVE-2023-44487?

CVE-2023-44487 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 94.4%.

Which versions of HTTP/2 Protocol are affected by CVE-2023-44487?

HTTP/2-based services across your organization are exposed to CVE-2023-44487, a denial-of-service vulnerability confirmed actively exploited in production environments, affecting nghttp2, Netty,…. A patch is available.

Is there a public PoC exploit available for CVE-2023-44487?

Yes, a public proof-of-concept exploit is available for CVE-2023-44487. Prioritise patching immediately. EPSS: 94.4%.

How to fix or mitigate CVE-2023-44487?

Within 24 hours: inventory all systems running HTTP/2 implementations and assess exposure to remote attackers. Within 7 days: apply patches available from vendors (nghttp2, Netty, Envoy, Jetty per their advisories). Within 30 days: verify patch deployment across all HTTP/2-based systems and validate operational functionality.

HTTP/2 Protocol CVE-2023-44487

HIGH

Uncontrolled Resource Consumption (CWE-400)

2023-10-10 cve@mitre.org

Denial Of Service

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Added to CISA KEV

May 12, 2026 - 11:31 CISA

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

23 maven packages depend on com.typesafe.akka:akka-http-core_2.11 (8 direct, 15 indirect)
25 maven packages depend on com.typesafe.akka:akka-http-core_2.12 (6 direct, 19 indirect)
27 maven packages depend on com.typesafe.akka:akka-http-core_2.13 (8 direct, 19 indirect)
2 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (2 direct, 0 indirect)
3 maven packages depend on org.apache.tomcat:tomcat-coyote (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 10.1.15 and other introduced versions.

DescriptionNVD

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

AnalysisAI

Denial of service against HTTP/2 server implementations allows remote unauthenticated attackers to exhaust server resources by rapidly opening and immediately canceling (RST_STREAM) large numbers of streams over a single connection, a technique dubbed the 'Rapid Reset' attack. The flaw is confirmed actively exploited (CISA KEV) following large-scale weaponization observed August through October 2023, with publicly available exploit code and an EPSS score of 94.45% placing it in the 100th percentile for likelihood of exploitation. Virtually every major HTTP/2 stack - including nghttp2, Netty, Envoy, and Eclipse Jetty - is affected.

Technical ContextAI

The defect lives in the HTTP/2 protocol specification (RFC 7540) rather than any single implementation, which is why it cascades across the ecosystem (nghttp2, Netty, Envoy 1.24.10/1.25.9/1.26.4/1.27.0, Eclipse Jetty, and most reverse proxies and web servers). HTTP/2 multiplexes many concurrent streams over a single TCP/TLS connection and lets the client send RST_STREAM to abort a stream cheaply on the wire. Servers, however, must still allocate request state (headers, HPACK context, routing, sometimes upstream sockets) before observing the reset, so a client that opens-then-resets streams at high rates can consume CPU, memory, and worker threads far beyond the SETTINGS_MAX_CONCURRENT_STREAMS budget. This maps cleanly to CWE-400 (Uncontrolled Resource Consumption): asymmetric attacker cost versus server cost on a per-stream basis.

RemediationAI

Patch available per vendor advisory - upgrade each affected HTTP/2 implementation to the vendor-fixed version: nghttp2 1.57.0+, Netty 4.1.100.Final+, Envoy 1.24.12/1.25.11/1.26.6/1.27.1+, and the corresponding Jetty/Apache/nginx/Go/gRPC releases published in October 2023; consult CERT/CC VU#421644 and each vendor's advisory for the exact patched build. Because the root cause is a protocol design issue, even patched servers benefit from defense-in-depth: lower SETTINGS_MAX_CONCURRENT_STREAMS (e.g., to 100), enforce a stricter ratio of RST_STREAM frames to opened streams per connection and tear down abusive sessions, rate-limit new streams per connection, and place a patched, hardened reverse proxy or CDN/WAF (Cloudflare, Akamai, AWS Shield) in front of origin servers. As a last resort, HTTP/2 can be disabled in favor of HTTP/1.1, but this sacrifices multiplexing performance and breaks gRPC and other HTTP/2-only clients, so it is rarely acceptable in production.

CVE-2023-44487 vulnerability details – vuln.today

Back

HTTP/2 Protocol CVE-2023-44487

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code