CVE-2024-31309 Overview
CVE-2024-31309 is a denial-of-service vulnerability in Apache Traffic Server (ATS) caused by improper handling of HTTP/2 CONTINUATION frames. Remote, unauthenticated attackers can send a stream of CONTINUATION frames that force the proxy to allocate excessive server resources, degrading availability. The flaw affects ATS versions 8.0.0 through 8.1.9 and 9.0.0 through 9.2.3. The Apache Software Foundation released fixed builds in 8.1.10 and 9.2.4, along with a new tunable, proxy.config.http2.max_continuation_frames_per_minute, that caps the rate of inbound CONTINUATION frames. The issue is categorized under [CWE-20] Improper Input Validation.
Critical Impact
A single unauthenticated client can trigger sustained resource consumption on the proxy, leading to service degradation or outage for all traffic routed through Apache Traffic Server.
Affected Products
- Apache Traffic Server 8.0.0 through 8.1.9
- Apache Traffic Server 9.0.0 through 9.2.3
- Debian Linux 10 and Fedora 38, 39, 40 distributions shipping vulnerable ATS packages
Discovery Timeline
- 2024-04-10 - CVE-2024-31309 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-31309
Vulnerability Analysis
The vulnerability is part of the broader HTTP/2 CONTINUATION flood class disclosed publicly in April 2024. HTTP/2 splits header blocks across one HEADERS frame and zero or more CONTINUATION frames. The protocol does not require servers to enforce a hard limit on the number of CONTINUATION frames associated with a single header block before the END_HEADERS flag is set.
In affected ATS versions, the HTTP/2 frame parser accepts arbitrarily long sequences of CONTINUATION frames per request stream. Attackers can keep an HTTP/2 connection open and stream CONTINUATION frames indefinitely, forcing the proxy to spend CPU cycles on HPACK decoding and header bookkeeping. Sustained traffic of this shape exhausts proxy worker capacity and impacts request handling for legitimate clients.
Root Cause
The root cause is missing rate or count enforcement on CONTINUATION frames per HTTP/2 stream. Prior releases relied on per-request memory ceilings but did not bound the volume of CONTINUATION frames processed per minute. The fix introduces a configurable per-minute frame cap to enforce input validation at the protocol layer.
Attack Vector
An unauthenticated remote attacker initiates an HTTP/2 session to the ATS listener and begins a request with a HEADERS frame that omits the END_HEADERS flag. The attacker then transmits a continuous stream of CONTINUATION frames without ever setting END_HEADERS. Because no authentication or user interaction is required, the attack scales trivially across multiple parallel connections. The result is CPU and memory pressure on the proxy that disrupts traffic forwarding.
For protocol-level technical details, see the Apache Mailing List Thread and the CERT Vulnerability ID 421644 advisory.
Detection Methods for CVE-2024-31309
Indicators of Compromise
- Sustained inbound HTTP/2 streams with unusually high CONTINUATION to HEADERS frame ratios from a single client or small set of source IPs.
- Elevated CPU utilization on traffic_server worker threads correlated with HTTP/2 traffic spikes.
- Increased memory allocation in HPACK decoder structures without a matching rise in completed request counts.
- Long-lived HTTP/2 connections that never complete a request (END_HEADERS never observed before connection reset or timeout).
Detection Strategies
- Parse ATS access and error logs for HTTP/2 connections that close due to header parsing limits or timeouts without producing a response.
- Deploy network monitoring that counts HTTP/2 frame types per connection and alerts when CONTINUATION frame counts exceed normal baselines.
- Correlate proxy CPU saturation events with HTTP/2 connection counts to surface low-volume, high-cost client behavior.
Monitoring Recommendations
- Track the new proxy.config.http2.max_continuation_frames_per_minute counter after upgrading to observe rejection events.
- Forward ATS metrics and connection logs to a centralized analytics platform for cross-host trend analysis.
- Alert on HTTP/2 connection durations or per-connection frame counts that deviate from established baselines.
How to Mitigate CVE-2024-31309
Immediate Actions Required
- Upgrade Apache Traffic Server to version 8.1.10 or 9.2.4, which contain the fix.
- Apply distribution-specific updates from Debian LTS Security Announcement and the Fedora package announcements where ATS is installed from OS repositories.
- Inventory all internet-facing ATS deployments and prioritize patching of edge proxies first.
- Review network telemetry for the past 90 days to identify prior abuse patterns against the proxy.
Patch Information
The Apache Software Foundation released fixed builds in Apache Traffic Server 8.1.10 and 9.2.4. The patch adds the configuration directive proxy.config.http2.max_continuation_frames_per_minute, which limits how many HTTP/2 CONTINUATION frames the proxy will process per minute on a connection. Refer to the Apache Mailing List Thread for the official advisory.
Workarounds
- If immediate patching is not possible, place a hardened HTTP/2 terminator or web application firewall in front of ATS to enforce CONTINUATION frame limits.
- Restrict HTTP/2 exposure to authenticated or trusted clients where feasible.
- Apply rate limiting and per-source connection caps at the network edge to reduce blast radius from a single attacker.
# After upgrading to ATS 8.1.10 or 9.2.4, set a conservative CONTINUATION frame cap
# in records.config (adjust the value to match your traffic profile):
CONFIG proxy.config.http2.max_continuation_frames_per_minute INT 100
# Reload configuration without restarting the proxy:
traffic_ctl config reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
