CVE-2023-44487 — HTTP/2 Rapid Reset Attack HIGH
🔴 CISA KEV — Actively Exploited
CVSS Score: 7.5 · HIGH Severity
CVE-2023-44487 is a high-severity denial of service vulnerability affecting all HTTP/2 server implementations. An attacker sends a stream of HTTP/2 HEADERS frames immediately followed by RST_STREAM frames, causing servers to consume resources processing requests that are immediately cancelled. This attack achieved record-breaking DDoS volumes — 398 million requests per second against Google infrastructure.
Affected Packages
| Ecosystem | Package | Vulnerable | Safe version | Fix |
|---|---|---|---|---|
| Go | golang.org/x/net | < 0.17.0 | 0.23.0 | Fix guide → |
| Go | google.golang.org/grpc | < 1.56.3 / < 1.57.1 / < 1.58.3 | 1.58.3 | Fix guide → |
| Rust | hyper | < 0.14.28 / 1.x < 1.0.1 | 1.3.1 | Fix guide → |
| Java/Maven | io.netty:netty-codec-http2 | < 4.1.100.Final | 4.1.108.Final | Fix guide → |
| Go | github.com/labstack/echo/v4 | < 4.11.2 | 4.11.4 | Fix guide → |
| Go | github.com/gofiber/fiber/v2 | < 2.50.0 | 2.52.2 | Fix guide → |
Vulnerability Timeline
Aug 2023Attack technique discovered being used in the wild by Google, Cloudflare, AWS.
Oct 10, 2023Coordinated disclosure. CVE published. Patches released simultaneously.
Oct 10, 2023CISA adds to KEV catalog. Record DDoS volumes confirmed (398M rps).
Oct–Nov 2023Mass patching across all HTTP/2 implementations.
2024–2026Ongoing exploitation against unpatched servers.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
What is the HTTP/2 Rapid Reset attack?
CVE-2023-44487 exploits HTTP/2 stream cancellation. An attacker opens many streams with HEADERS frames and immediately cancels them with RST_STREAM. The server allocates resources to process each request before the cancel arrives, leading to resource exhaustion with minimal bandwidth from the attacker.
Which packages are affected by CVE-2023-44487?
Any HTTP/2 server implementation. In Go: golang.org/x/net, grpc-go, echo, fiber. In Rust: hyper, tokio. In Java: Netty. In Python: h2, httpcore. Update all HTTP framework dependencies to patched versions.
How do I fix CVE-2023-44487?
Upgrade all HTTP/2-capable framework dependencies. For Go: golang.org/x/net v0.17.0+, grpc-go v1.58.3+. For Rust: hyper 1.3.1+. For Java: Netty 4.1.100.Final+. Paste your manifest into PackageFix to check all affected packages at once.
Does this affect npm/Node.js?
Node.js released patches (v18.18.2, v20.8.1, v21.0.0) addressing HTTP/2 rapid reset. If you run a Node.js HTTP/2 server, update Node.js itself in addition to your npm dependencies.
Is CVE-2023-44487 still a threat in 2026?
Yes — CISA KEV confirms ongoing exploitation. Any unpatched HTTP/2 server is still vulnerable to record-breaking DDoS volumes.