CVE-2023-45288 Overview
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Critical Impact
High-risk DoS vulnerability affecting HTTP/2 implementations that may lead to resource exhaustion without proper header limits.
Affected Products
- Not Available
- Not Available
- Not Available
Discovery Timeline
- 2024-04-04 - CVE CVE-2023-45288 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2023-45288
Vulnerability Analysis
The vulnerability exploits the way HTTP/2 handles CONTINUATION frames. By sending an excessive number of these frames, an attacker can cause the endpoint to process a large amount of data, leading to Denial of Service (DoS).
Root Cause
The root cause lies in the improper handling of excessive CONTINUATION frames, without enforcing limits on parsing header data beyond MaxHeaderBytes.
Attack Vector
Network
// Example exploitation code (sanitized)
http_request {
method: "POST",
headers: {
"Excessive-Headers": "<huge amount of data...>",
},
continuation_frames: [
"part1",
"part2",
// more parts...
]
}
Detection Methods for CVE-2023-45288
Indicators of Compromise
- Unusually high HTTP/2 traffic with excessive CONTINUATION frames
- Spike in server resource usage (CPU/memory) during HTTP/2 communication
- Logs showing rejected requests with large header data
Detection Strategies
Use network traffic analysis tools to monitor for excessive CONTINUATION frames. Anomaly detection logic can alert on unusually large header data in HTTP/2 communications.
Monitoring Recommendations
Implement logging for all incoming HTTP/2 requests that track the amount of header data processed. Set alerts on thresholds exceeded for header size or unexpected header patterns.
How to Mitigate CVE-2023-45288
Immediate Actions Required
- Implement strict caps on header sizes and number of CONTINUATION frames in HTTP/2 settings
- Monitor and limit requests that exceed these thresholds
- Update server software to include patches that address this behavior
Patch Information
Ensure all HTTP/2 implementations are up-to-date and configured with appropriate security measures to limit frame processing.
Workarounds
Configure server limits on the number of CONTINUATION frames and the total size of headers more strictly. Implement rate limiting for HTTP/2 connections.
# Configuration example
echo "SetEnvIf Request_URI ^/$ no-more"> /etc/httpd/conf.d/security.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
