Exploiting HTTP/2 CONTINUATION frames for DoS attacks


April 8, 2024

0 minutes de lecture

About the vulnerability

The vulnerability lies in the way HTTP/2 implementations handle CONTINUATION frames, which are used to transmit header blocks larger than the maximum frame size. Attackers exploit this weakness by sending an excessive number of CONTINUATION frames within a single HTTP/2 stream. This flood of frames overwhelms the server's capacity to process them efficiently.

The severity of this vulnerability was highlighted by Bartek Nowotarski, who noted that it poses a more significant threat compared to previous incidents, such as the 'HTTP/2 Rapid Reset' attack. Furthermore, this vulnerability has been actively exploited since August 2023.

What makes this attack particularly concerning is its potential to crash web servers with just a single TCP connection or even just a handful of frames. As a result, affected servers may experience substantial performance degradation or complete unavailability.

This vulnerability affects a wide range of vendors and HTTP/2 libraries, including but not limited to Red Hat, SUSE Linux, Arista Networks, the Apache HTTP Server Project, nghttp2, Node.js, AMPHP, and the Go Programming Language.

Affected versions


Affected versions



>= 2.0.0 && <= 2.1.0, <= 1.7.2


Apache HTTP Server (httpd)



Apache Tomcat

<=11.0.0-M16, <=10.1.18, <=9.0.85, 8.5.0-8.5.98


Apache Traffic Server

8.0.0-8.1.9, 9.0.0-9.2.3


Envoy proxy (oghttp)

1.29.0, 1.29.1


Envoy proxy (nghttp2)




<=1.20, <=1.21.8, <=1.22.1






<=18.20.0, <=20.12.0, <=21.7.1


Tempesta FW




Given the widespread use of HTTP/2 and its prevalence in internet traffic (estimated to be above 70% by Cloudflare Radar), the impact of this vulnerability is significant. It underscores the critical need for prompt patching and robust security measures to mitigate the risk of exploitation and protect web servers from devastating denial of service (DoS) and security restriction bypass attacks.


Update the impacted program to the most recent version, with the vulnerability patched in. If a patch is not available, consider temporarily turning off HTTP/2 on the server.


Patch and update: Ensure the most recent security updates are applied to your server software, relevant libraries, and HTTP/2 implementations. Check software suppliers' updates frequently, and when updates are available, install them right away to fix known vulnerabilities.

Put rate limiting into practice: Set rate limits to limit the number of requests or frames that may be handled in a given amount of time. This may lessen the effects of heavy traffic or floods.

Analyze and monitor traffic: Keep an eye out for any odd patterns or spikes in incoming traffic that could point to a possible assault. Examine unprocessed HTTP traffic to detect and address malicious requests that take advantage of holes in HTTP/2 implementations.

Use web application firewalls (WAFs): Set up WAFs to filter incoming traffic and stop malicious requests from reaching your server. Set up WAF rules to identify and stop known attack patterns linked to DoS assaults on HTTP/2.

Put network-level defenses into practice: To identify and stop suspicious traffic patterns suggestive of DoS attacks aimed at HTTP/2 implementations, employ network-level defenses like intrusion detection systems (IDS) or intrusion prevention systems (IPS).

Diversify server implementations: Work toward distributing your server implementations among other projects or providers. This can increase resistance to attacks and lessen the effect of vulnerabilities unique to a given implementation.

Detecting vulnerabilities with Snyk

  1. amphp/http (CVE-2024-2653) - Allocation of Resources Without Limits or Throttling

  2. Apache HTTP Server (CVE-2024-27316) - Uncontrolled Resource Consumption ('Resource Exhaustion')

  3. Apache Tomcat (CVE-2024-24549) - Improper Input Validation

  4. Apache Traffic Server (CVE-2024-31309) - Uncontrolled Resource Consumption ('Resource Exhaustion')

  5. Envoy proxy (CVE-2024-27919 and CVE-2024-30255) - Detection of Error Condition Without Action and Uncontrolled Resource Consumption ('Resource Exhaustion') 

  6. Golang (CVE-2023-45288) - Resource Exhaustion

  7. h2 Rust crate

  8. nghttp2 (CVE-2024-28182) - Resource Exhaustion

  9. Node.js (CVE-2024-27983)  - Resource Exhaustion

  10. Tempesta FW (CVE-2024-2758) - Allocation of Resources Without Limits or Throttling 


  1. https://nowotarski.info/

  2. https://nowotarski.info/http2-continuation-flood-technical-details/#reachable-assertion-crash-nodejs-special-case 

  3. https://datatracker.ietf.org/doc/html/rfc7540 

  4. https://www.securityweek.com/new-http-2-dos-attack-potentially-more-severe-than-record-breaking-rapid-reset/

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk est une plateforme de sécurité des développeurs. S’intégrant directement aux outils, workflows et pipelines de développement, Snyk facilite la détection, la priorisation et la correction des failles de sécurité dans le code, les dépendances, les conteneurs et l’infrastructure en tant que code (IaC). Soutenu par une intelligence applicative et sécuritaire de pointe, Snyk intègre l'expertise de la sécurité au sein des outils de chaque développeur.

Démarrez gratuitementRéservez une démo en ligne

© 2024 Snyk Limited
Enregistré en Angleterre et au Pays de Galles