Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Apr 2024 13:06:00 -0700
From: Alan Coopersmith <>
Subject: CERT/CC VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS
 attacks announces:

> HTTP/2 CONTINUATION frames can be utilized for DoS attacks
> ==========================================================
> Vulnerability Note VU#421644
> Original Release Date: 2024-04-03 | Last Revised: 2024-04-03
> Overview
> --------
> HTTP allows messages to include named fields in both header and
> trailer sections. These header and trailer fields are serialised as
> field blocks in HTTP/2, so that they can be transmitted in multiple
> fragments to the target implementation. Many HTTP/2 implementations do
> not properly limit or sanitize the amount of CONTINUATION frames sent
> within a single stream. An attacker that can send packets to a target
> server can send a stream of CONTINUATION frames that will not be
> appended to the header list in memory but will still be processed and
> decoded by the server or will be appended to the header list, causing
> an out of memory (OOM) crash.
> Description
> -----------
> HTTP/2 utilizes header fields within HTTP request and response
> messages. Header fields can comprise header lists, which in turn are
> broken into header blocks. These header blocks are transmitted in
> multiple fragments to the target implementation. HTTP/2 CONTINUATION
> frames are used to continue a sequence of field block fragments. They
> are utilized in order to split header blocks across multiple
> frames. The other two types of header block fragments are HEADERS or
> PUSH_PROMISE. CONTINUATION frames can be utilized to continue a header
> block fragment that could not be transmitted by the HEADERS or
> PUSH_PROMISE frames. A header block is considered completed when the
> server receives a set END_HEADERS flag. This is intended to denote
> that there are no further CONTINUATION, HEADERS, or PUSH_PROMISE
> frames. A vulnerability has been discovered within multiple
> implementations that does not limit the amount of CONTINUATION frames
> that can be sent within a single stream.
> The implementation will continue to receive frames as long as the
> END_HEADERS flag is not set during these communications. An attacker
> can initialize a connection to a server with typical HTTP/2 frames and
> then receive initial frames from the server. The attacker can then
> begin an HTTP request with no set END_HEADERS flags. This can allow an
> attacker to send a stream of CONTINUATION frames to the target server,
> which can result in an out-of-memory crash, enabling an attacker to
> launch a denial of service (DoS) attack against a target server using
> a vulnerable implementation.
> Additionally, an attacker can send HPACK Huffman encoded CONTINUATION
> frames to a target implementation. This can cause CPU resource
> exhaustion and result in a DoS as the the CPU must decode every
> encoded frame that it receives.
> Below are several CVE listings to reflect the vulnerability within
> different implementations.
> CVE-2024-27983
> An attacker can make the Node.js HTTP/2 server unavailable by sending
> a small amount of HTTP/2 frames packets with a few HTTP/2 frames
> inside. It is possible to leave some data in nghttp2 memory after
> reset when headers with HTTP/2 CONTINUATION frame are sent to the
> server and then a TCP connection is abruptly closed by the client
> triggering the Http2Session destructor while header frames are still
> being processed (and stored in memory) causing a race condition.
> CVE-2024-27919
> Envoy's oghttp codec does not reset a request when header map limits
> have been exceeded. This allows an attacker to send an sequence of
> CONTINUATION frames without the END_HEADERS bit set causing unlimited
> memory consumption.
> CVE-2024-2758
> Tempesta FW rate limits are not enabled by default. They are either
> set too large to capture empty CONTINUATION frames attacks or too
> small to handle normal HTTP requests appropriately.
> CVE-2024-2653
> amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded
> buffer and will not check the header size limit until it has received
> the END_HEADERS flag, resulting in an OOM crash. amphp/http-client and
> amphp/http-server are indirectly affected if they're used with an
> unpatched version of amphp/http. Early versions of amphp/http-client
> with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected.
> CVE-2023-45288
> The Go packages net/http and net/http2 packages do not limit the
> number of CONTINUATION frames read for an HTTP/2 request, which
> permits an attacker to provide an arbitrarily large set of headers for
> a single request, that will be read, decoded, and subsequently
> discarded, which may result in excessive CPU consumption.
> CVE-2024-28182
> An implementation using the nghttp2 library will continue to receive
> CONTINUATION frames, and will not callback to the application to allow
> visibility into this information before it resets the stream,
> resulting in a DoS.
> CVE-2024-27316
> HTTP/2 CONTINUATION frames without the END_HEADERS flag set can be
> sent in a continuous stream by an attacker to an Apache Httpd
> implementation, which will not properly terminate the request early.
> CVE-2024-31309
> HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to
> consume more resources on the server. Version from 8.0.0 through
> 8.1.9, from 9.0.0 through 9.2.3 are affected.
> CVE-2024-30255
> HTTP/2 protocol stack in Envoy versions 1.29.2 or earlier are
> vulnerable to CPU exhaustion due to flood of CONTINUATION
> frames. Envoys HTTP/2 codec allows the client to send an unlimited
> number of CONTINUATION frames even after exceeding Envoys header map
> limits. This allows an attacker to send a sequence of CONTINUATION
> frames without the END_HEADERS bit set causing CPU utilization,
> consuming approximately 1 core per 300Mbit/s of traffic.
> Impact
> ------
> Successful exploitation of this vulnerability can allow an attacker
> the capability to launch DoS attacks against servers utilizing
> vulnerable implementations.
> Solution
> --------
> Different HTTP/2 implementations may have separate, unique
> vulnerabilities specific to that implementation. It is important to
> note that it may be difficult to analyze incoming malicious traffic
> exploiting this vulnerability as the HTTP request is not properly
> completed. Analysis of raw HTTP traffic may be necessary to determine
> an attack utilizing this vulnerability.
> Acknowledgements
> ----------------
> Thank you to Bartek Nowotarski for reporting the vulnerability.
> This document was written by Christopher Cullen. has links to further information
from various vendors about how this affects their products.

The writeup from the researcher who found & reported this is at

         -Alan Coopersmith-       
          Oracle Solaris Engineering -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.