7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-vx74-f528-fxqg

GHSA-vx74-f528-fxqg: github.com/nghttp2/nghttp2 has HTTP/2 Rapid Reset

Impact

Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service.

See https://www.cve.org/CVERecord?id=CVE-2023-44487 for details.

Patches

nghttp2 v1.57.0 mitigates this vulnerability by default.

Workarounds

If upgrading to nghttp2 v1.57.0 is not possible, implement nghttp2_on_frame_recv_callback, and check and count RST_STREAM frames. If excessive number of RST_STREAM are received, then take action, such as dropping connection silently, or call nghttp2_submit_goaway and gracefully terminate the connection.

References

The following commit mitigates this vulnerability:

https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-vx74-f528-fxqg

GHSA-vx74-f528-fxqg:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/nghttp2/nghttp2	go	< 1.57.0	1.57.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unrestricted processing of RST_STREAM frames. The commit introduces a rate limiter (nghttp2_ratelim) to mitigate this. The function nghttp2_session_on_rst_stream_received was modified to include a call to session_update_stream_reset_ratelim, indicating it previously lacked this protection. The absence of rate limiting in older versions allows unbounded stream resets, leading to DoS via CWE-400.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-vx74-f528-fxqg: github.com/nghttp2/nghttp2 has HTTP/2 Rapid Reset

Impact

Patches

Workarounds

References

GHSA-vx74-f528-fxqg:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

7.5

7.5

GHSA-vx74-f528-fxqg: github.com/nghttp2/nghttp2 has HTTP/2 Rapid Reset

Impact

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI