Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/nghttp2/nghttp2
  4. ›
  5. GMS-2023-3352

GMS-2023-3352: github.com/nghttp2/nghttp2 has HTTP/2 Rapid Reset

October 10, 2023

Impact

Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service.

See https://www.cve.org/CVERecord?id=CVE-2023-44487 for details.

Patches

nghttp2 v1.57.0 mitigates this vulnerability by default.

Workarounds

If upgrading to nghttp2 v1.57.0 is not possible, implement nghttp2_on_frame_recv_callback, and check and count RST_STREAM frames. If excessive number of RST_STREAM are received, then take action, such as dropping connection silently, or call nghttp2_submit_goaway and gracefully terminate the connection.

References

The following commit mitigates this vulnerability:

  • https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832

References

  • github.com/advisories/GHSA-vx74-f528-fxqg
  • github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832
  • github.com/nghttp2/nghttp2/releases/tag/v1.57.0
  • github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg

Code Behaviors & Features

Detect and mitigate GMS-2023-3352 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 1.57.0

Fixed versions

  • 1.57.0

Solution

Upgrade to version 1.57.0 or above.

Source file

go/github.com/nghttp2/nghttp2/GMS-2023-3352.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:11 +0000.