SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2023-45288

CVE-2023-45288: HTTP/2 CONTINUATION Frame DoS Vulnerability

CVE-2023-45288 is a denial of service vulnerability in HTTP/2 endpoints caused by excessive CONTINUATION frames. Attackers can force servers to process unlimited header data, leading to resource exhaustion. This article covers technical details, affected versions, impact analysis, and mitigation strategies.

Updated:

CVE-2023-45288 Overview

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Critical Impact

High-risk DoS vulnerability affecting HTTP/2 implementations that may lead to resource exhaustion without proper header limits.

Affected Products

  • Not Available
  • Not Available
  • Not Available

Discovery Timeline

  • 2024-04-04 - CVE CVE-2023-45288 published to NVD
  • 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2023-45288

Vulnerability Analysis

The vulnerability exploits the way HTTP/2 handles CONTINUATION frames. By sending an excessive number of these frames, an attacker can cause the endpoint to process a large amount of data, leading to Denial of Service (DoS).

Root Cause

The root cause lies in the improper handling of excessive CONTINUATION frames, without enforcing limits on parsing header data beyond MaxHeaderBytes.

Attack Vector

Network

plaintext
// Example exploitation code (sanitized)
http_request {
    method: "POST",
    headers: {
        "Excessive-Headers": "<huge amount of data...>",
    },
    continuation_frames: [
        "part1",
        "part2",
        // more parts...
    ]
}

Detection Methods for CVE-2023-45288

Indicators of Compromise

  • Unusually high HTTP/2 traffic with excessive CONTINUATION frames
  • Spike in server resource usage (CPU/memory) during HTTP/2 communication
  • Logs showing rejected requests with large header data

Detection Strategies

Use network traffic analysis tools to monitor for excessive CONTINUATION frames. Anomaly detection logic can alert on unusually large header data in HTTP/2 communications.

Monitoring Recommendations

Implement logging for all incoming HTTP/2 requests that track the amount of header data processed. Set alerts on thresholds exceeded for header size or unexpected header patterns.

How to Mitigate CVE-2023-45288

Immediate Actions Required

  • Implement strict caps on header sizes and number of CONTINUATION frames in HTTP/2 settings
  • Monitor and limit requests that exceed these thresholds
  • Update server software to include patches that address this behavior

Patch Information

Ensure all HTTP/2 implementations are up-to-date and configured with appropriate security measures to limit frame processing.

Workarounds

Configure server limits on the number of CONTINUATION frames and the total size of headers more strictly. Implement rate limiting for HTTP/2 connections.

bash
# Configuration example
echo "SetEnvIf Request_URI ^/$ no-more"> /etc/httpd/conf.d/security.conf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne