aikido.dev Secure My Code

Intel/AIKIDO-2024-10489

AIKIDO-2024-10489

akka-http_2.13 is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)CVE-2023-44487

75

High Risk

This Affects:

JAVA

3.0.0 - 10.5.2

Fixed in 10.5.3

TL;DR

CVE-2023-44487, also known as Rapid Reset, is a high-severity Denial of Service (DoS) vulnerability affecting the HTTP/2 protocol. This flaw allows attackers to exploit the protocol by rapidly sending streams that are immediately reset, overwhelming server resources and causing service disruption. The impact of this vulnerability is significant due to the widespread adoption of HTTP/2, with W3Techs reporting that approximately 35% of websites worldwide use it. Exploitation can lead to substantial downtime and resource exhaustion on vulnerable servers.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

akka-http_2.13 is vulnerable to Denial of Service (DoS) in versions 3.0.0 - 10.5.2.

How to fix this

Upgrade the com.typesafe.akka:akka-http library to the patch version.

75

High Risk

This Affects:

JAVA

3.0.0 - 10.5.2

Fixed in 10.5.3

Links

CVE Details

github.com/advisories/GHSA-qppj-fm5r-hxr3

github.com/advisories/GHSA-vx74-f528-fxqg

github.com/advisories/GHSA-xpw8-rcwv-8f8p

github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf

GitHub Releases

github.com/caddyserver/caddy/releases/tag/v2.7.5

github.com/grpc/grpc/releases/tag/v1.59.2

github.com/nghttp2/nghttp2/releases/tag/v1.57.0

Fix Commits

github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1

github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61

Fix PRs

github.com/apache/httpd-site/pull/10

github.com/apache/trafficserver/pull/10564

github.com/envoyproxy/envoy/pull/30055

github.com/facebook/proxygen/pull/466

github.com/grpc/grpc-go/pull/6703

github.com/h2o/h2o/pull/3291

github.com/kubernetes/kubernetes/pull/121120

github.com/line/armeria/pull/5232

github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632

github.com/microsoft/CBL-Mariner/pull/6381

github.com/nghttp2/nghttp2/pull/1961

github.com/nodejs/node/pull/50121

github.com/projectcontour/contour/pull/5826

Related Issues

github.com/Azure/AKS/issues/3947

github.com/akka/akka-http/issues/4323

github.com/alibaba/tengine/issues/1872

github.com/apache/apisix/issues/10320

github.com/caddyserver/caddy/issues/5877

github.com/dotnet/announcements/issues/277

github.com/eclipse/jetty.project/issues/10679

github.com/etcd-io/etcd/issues/16740

github.com/golang/go/issues/63417

github.com/haproxy/haproxy/issues/2312

github.com/junkurihara/rust-rpxy/issues/97

github.com/kazu-yamamoto/http2/issues/93

github.com/ninenines/cowboy/issues/1615

github.com/openresty/openresty/issues/930

github.com/opensearch-project/data-prepper/issues/3474

github.com/tempesta-tech/tempesta/issues/1986

github.com/varnishcache/varnish-cache/issues/3996

Other

doc.akka.io/reference/security-announcements/akka-http-cve-2023-44487.html

openwall.com/lists/oss-security/2023/10/10/6

openwall.com/lists/oss-security/2023/10/10/7

openwall.com/lists/oss-security/2023/10/13/4

openwall.com/lists/oss-security/2023/10/13/9

openwall.com/lists/oss-security/2023/10/18/4

openwall.com/lists/oss-security/2023/10/18/8

openwall.com/lists/oss-security/2023/10/19/6

openwall.com/lists/oss-security/2023/10/20/8

access.redhat.com/security/cve/cve-2023-44487

arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/

aws.amazon.com/security/security-bulletins/AWS-2023-011/

blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/

blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/

blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack

blog.vespa.ai/cve-2023-44487/

bugzilla.proxmox.com/show_bug.cgi?id=4988

bugzilla.redhat.com/show_bug.cgi?id=2242803

bugzilla.suse.com/show_bug.cgi?id=1216123

cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9

cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/

cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack

community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125

discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715

edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve

forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764

gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088

github.com/Kong/kong/discussions/11741

github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113

github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2

github.com/arkrwn/PoC/tree/main/CVE-2023-44487

github.com/bcdannyboy/CVE-2023-44487

github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73

github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244

github.com/micrictor/http2-rst-stream

github.com/oqtane/oqtane.framework/discussions/3367

groups.google.com/g/golang-announce/c/iNNxDTCjZvo

istio.io/latest/news/security/istio-security-2023-004/

linkerd.io/2023/10/12/linkerd-cve-2023-44487/

lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q

lists.debian.org/debian-lts-announce/2023/10/msg00020.html

lists.debian.org/debian-lts-announce/2023/10/msg00023.html

lists.debian.org/debian-lts-announce/2023/10/msg00024.html

lists.debian.org/debian-lts-announce/2023/10/msg00045.html

lists.debian.org/debian-lts-announce/2023/10/msg00047.html

lists.debian.org/debian-lts-announce/2023/11/msg00001.html

lists.debian.org/debian-lts-announce/2023/11/msg00012.html

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/

lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html

mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html

martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html

msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/

msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487

my.f5.com/manage/s/article/K000137106

netty.io/news/2023/10/10/4-1-100-Final.html

news.ycombinator.com/item?id=37830987

news.ycombinator.com/item?id=37830998

news.ycombinator.com/item?id=37831062

news.ycombinator.com/item?id=37837043

openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/

seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ

security.gentoo.org/glsa/202311-09

security.netapp.com/advisory/ntap-20231016-0001/

security.netapp.com/advisory/ntap-20240426-0007/

security.netapp.com/advisory/ntap-20240621-0006/

security.netapp.com/advisory/ntap-20240621-0007/

security.paloaltonetworks.com/CVE-2023-44487

tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14

ubuntu.com/security/CVE-2023-44487

bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/

cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487

darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event

debian.org/security/2023/dsa-5521

debian.org/security/2023/dsa-5522

debian.org/security/2023/dsa-5540

debian.org/security/2023/dsa-5549

debian.org/security/2023/dsa-5558

debian.org/security/2023/dsa-5570

haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487

netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/

nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/

openwall.com/lists/oss-security/2023/10/10/6

phoronix.com/news/HTTP2-Rapid-Reset-Attack

theregister.com/2023/10/10/http2_rapid_reset_zeroday/

openwall.com/lists/oss-security/2025/08/13/6

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/

vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487

Get Secure Now

Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.

No credit card required | Scan results in 32secs.

Aikido Platform

Company

Resources

Industries

Use Cases

Compare

Legal

Connect

hello@aikido.dev

Security

Subscribe

Stay up to date with all updates

LinkedIn YouTube X

© 2026 Aikido Security BV | BE0792914919

Keizer Karelstraat 15, 9000, Ghent, Belgium

95 Third St, 2nd Fl, San Francisco, CA 94103, US

Unit 6.15 Runway East 18 18 Crucifix Ln, London SE1 3JW UK

Ghent, Belgium | San Francisco, US

SOC 2

ISO 27001

ISO 27001Compliant

Get Security Done