NEWS

A new vulnerability named HTTP/2 CONTINUATION Flood has been discovered in the HTTP/2 protocol, allowing for potential denial-of-service (DoS) attacks.

Security researcher Bartek Nowotarski reported the issue to the CERT Coordination Center (CERT/CC) on January 25, 2024. The vulnerability arises from the improper handling of CONTINUATION frames, which are used to continue sequences of header block fragments in HTTP/2. Many HTTP/2 implementations fail to limit or sanitize the amount of CONTINUATION frames sent within a single stream, potentially leading to a stream of headers overwhelming server memory or causing crashes.

Unlike previous vulnerabilities like Rapid Reset, HTTP/2 CONTINUATION Flood poses a more severe threat, with a single machine or even a single TCP connection capable of disrupting server availability significantly. The attack is stealthy, as the malicious requests are not logged in HTTP access logs. The vulnerability affects various projects including amphp/http, Apache HTTP Server, Apache Tomcat, Apache Traffic Server, Envoy proxy, Golang, h2 Rust crate, nghttp2, Node.js, and Tempesta FW.

Nowotarski highlights the lack of specific mention in RFC 9113 regarding the repercussions of sending CONTINUATION frames without the final END_HEADERS flag, which exacerbates the vulnerability. Impacted servers may experience outcomes ranging from instant crashes to CPU exhaustion.

To mitigate potential threats, users are advised to upgrade affected software to the latest versions. In cases where updates are unavailable, temporarily disabling HTTP/2 on the server is recommended. This vulnerability underscores the importance of robust protocol implementations and prompt updates to address emerging security threats in web technologies.