CVE-2024-28182 Overview
CVE-2024-28182 is a resource exhaustion vulnerability in nghttp2, a widely-used implementation of the HTTP/2 protocol written in C. The vulnerability exists in versions prior to 1.61.0, where the nghttp2 library continues reading an unbounded number of HTTP/2 CONTINUATION frames even after a stream has been reset. This behavior is maintained to keep the HPACK context synchronized, but it creates an exploitable condition that causes excessive CPU consumption during HPACK stream decoding.
This vulnerability is part of a broader class of HTTP/2 protocol implementation weaknesses related to CONTINUATION frame handling, which has affected multiple HTTP/2 implementations. The issue allows remote attackers to cause denial of service conditions against servers and applications using vulnerable versions of nghttp2.
Critical Impact
Remote attackers can cause denial of service by sending excessive HTTP/2 CONTINUATION frames, leading to CPU exhaustion on systems running vulnerable nghttp2 versions. No authentication is required to exploit this vulnerability.
Affected Products
- nghttp2 versions prior to 1.61.0
- Debian Linux 10.0 and 11.0
- Fedora 38, 39, and 40
Discovery Timeline
- April 4, 2024 - CVE-2024-28182 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-28182
Vulnerability Analysis
The vulnerability stems from improper resource allocation controls (CWE-770: Allocation of Resources Without Limits or Throttling) in nghttp2's HTTP/2 CONTINUATION frame processing logic. In the HTTP/2 protocol, CONTINUATION frames are used to continue a sequence of header block fragments when headers are too large to fit in a single HEADERS frame. The HPACK compression algorithm maintains state that must be kept synchronized between the sender and receiver.
When a stream is reset in nghttp2 versions before 1.61.0, the library continues to process incoming CONTINUATION frames to maintain HPACK context synchronization. However, there is no limit on the number of CONTINUATION frames that can be processed, creating an asymmetric resource consumption pattern. An attacker can send a large number of CONTINUATION frames with minimal bandwidth, while the server expends significant CPU resources decoding the HPACK-compressed data.
This vulnerability is particularly concerning because it can be exploited without authentication and affects any application or service built on vulnerable nghttp2 versions. The attack can be sustained with relatively low bandwidth requirements on the attacker's side while causing significant CPU load on the target system.
Root Cause
The root cause is the lack of a limit on the number of CONTINUATION frames accepted per stream in the nghttp2 library. The library's design prioritizes maintaining HPACK context integrity but fails to implement protective bounds on resource consumption. This allows an unbounded processing loop where CPU cycles are consumed decoding HPACK streams from an excessive number of CONTINUATION frames, even after the associated stream has been reset.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker establishes an HTTP/2 connection to a vulnerable server and initiates a stream. The attacker then sends a HEADERS frame followed by an excessive number of CONTINUATION frames. Even if the stream is reset, the server continues processing the CONTINUATION frames to maintain HPACK synchronization, consuming CPU resources with each frame processed. By sustaining this pattern or opening multiple connections, an attacker can exhaust server CPU resources and cause denial of service.
The attack is particularly effective because:
- HTTP/2 connections are typically long-lived, providing sustained attack opportunities
- CONTINUATION frames are small, requiring minimal attacker bandwidth
- HPACK decoding is computationally more expensive than sending the frames
- The attack bypasses stream-level controls since processing continues after stream reset
Detection Methods for CVE-2024-28182
Indicators of Compromise
- Unusual spikes in CPU utilization on HTTP/2-enabled servers without corresponding increases in legitimate traffic
- High numbers of HTTP/2 CONTINUATION frames observed in network traffic analysis
- Connection patterns showing streams being reset followed by continued CONTINUATION frame transmission
- Server performance degradation or unresponsiveness under moderate connection loads
Detection Strategies
- Monitor HTTP/2 frame statistics at the load balancer or reverse proxy level for abnormal CONTINUATION frame ratios
- Implement network intrusion detection rules to alert on excessive CONTINUATION frames per connection
- Deploy application performance monitoring to correlate CPU spikes with HTTP/2 connection metrics
- Review web server and application logs for connection anomalies or timeout patterns indicative of resource exhaustion
Monitoring Recommendations
- Configure alerts for CPU utilization thresholds on systems running nghttp2-based applications
- Implement deep packet inspection for HTTP/2 traffic to identify CONTINUATION frame flooding patterns
- Monitor connection duration and frame counts per connection to detect potential attack attempts
- Establish baseline metrics for normal HTTP/2 traffic patterns to identify deviations
How to Mitigate CVE-2024-28182
Immediate Actions Required
- Upgrade nghttp2 to version 1.61.0 or later, which limits the number of CONTINUATION frames accepted per stream
- Apply vendor-provided patches for affected Linux distributions (Debian, Fedora) through standard package management
- Audit systems to identify all applications and services dependent on nghttp2
- Consider temporarily reducing HTTP/2 connection limits or timeouts as a stopgap measure until patching is complete
Patch Information
The nghttp2 project has released version 1.61.0 which mitigates this vulnerability by implementing a limit on the number of CONTINUATION frames accepted per stream. The fix is available through the official GitHub repository commits and the GitHub Security Advisory.
Linux distributions have released security updates:
- Debian has issued advisories for affected versions, available through the Debian LTS Announcement
- Fedora packages have been updated as documented in their package announcements
Additional technical details are available from CERT Vulnerability ID #421644.
Workarounds
According to the official security advisory, there is no workaround for this vulnerability. The only effective mitigation is upgrading to nghttp2 version 1.61.0 or later. Organizations unable to immediately upgrade should consider:
- Implementing rate limiting at the network perimeter for HTTP/2 connections
- Using a patched reverse proxy or load balancer in front of vulnerable applications
- Monitoring systems closely for signs of exploitation attempts
- Evaluating temporary fallback to HTTP/1.1 for critical services if HTTP/2-specific features are not required
# Upgrade nghttp2 on Debian/Ubuntu systems
sudo apt update
sudo apt install --only-upgrade libnghttp2-14 nghttp2
# Upgrade nghttp2 on Fedora systems
sudo dnf update nghttp2
# Verify installed version
nghttp --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
