Advisories for Golang/Github.com/Nghttp2/Nghttp2 package

2023

github.com/nghttp2/nghttp2 has HTTP/2 Rapid Reset

Impact Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service. See https://www.cve.org/CVERecord?id=CVE-2023-44487 for details. Patches nghttp2 v1.57.0 mitigates this vulnerability by default. Workarounds If upgrading to nghttp2 v1.57.0 is not possible, implement nghttp2_on_frame_recv_callback, and check and count RST_STREAM frames. If excessive number of RST_STREAM are received, then take action, such as dropping connection silently, or call nghttp2_submit_goaway and gracefully terminate the connection. …