Wednesday , June 25 2025
http/2

New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks

The HTTP/2 protocol has a vulnerability in the CONTINUATION frame that allows for denial-of-service (DoS) attacks. Security researcher Bartek Nowotarski named this technique HTTP/2 CONTINUATION Flood and reported it to the CERT Coordination Center (CERT/CC) on January 25, 2024.

“Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream,” CERT/CC said in an advisory on April 3, 2024.

WhatsApp banned on all US House of Representatives devices

The U.S. House of Representatives has banned congressional staff from using WhatsApp on government devices due to security concerns, as...
Read More
WhatsApp banned on all US House of Representatives devices

Kaspersky found “SparkKitty” Malware on Google Play, Apple App Store

Kaspersky found a new mobile malware dubbed SparkKitty in Google Play and Apple App Store apps, targeting Android and iOS....
Read More
Kaspersky found “SparkKitty” Malware on Google Play, Apple App Store

OWASP AI Testing Guide Launched to Uncover Vulns in AI Systems

OWASP has released its AI Testing Guide, a framework to help organizations find and fix vulnerabilities specific to AI systems....
Read More
OWASP AI Testing Guide Launched to Uncover Vulns in AI Systems

Axentec Launches Bangladesh’s First Locally Hosted Tier-4 Cloud Platform

In a major milestone for the country’s digital infrastructure, Axentec PLC has officially launched Axentec Cloud, Bangladesh’s first Tier-4 cloud...
Read More
Axentec Launches Bangladesh’s First Locally Hosted Tier-4 Cloud Platform

Hackers Bypass Gmail MFA With App-Specific Password Reuse

A hacking group reportedly linked to Russian government has been discovered using a new phishing method that bypasses two-factor authentication...
Read More
Hackers Bypass Gmail MFA With App-Specific Password Reuse

Russia detects first SuperCard malware attacks via NFC

Russian cybersecurity experts discovered the first local data theft attacks using a modified version of legitimate near field communication (NFC)...
Read More
Russia detects first SuperCard malware attacks via NFC

Income Property Investments exposes 170,000+ Individuals record

Cybersecurity researcher Jeremiah Fowler discovered an unsecured database with 170,360 records belonging to a real estate company. It contained personal...
Read More
Income Property Investments exposes 170,000+ Individuals record

ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs

GreyNoise found attempts to exploit CVE-2023-28771, a vulnerability in Zyxel's IKE affecting UDP port 500. The attack centers around CVE-2023-28771,...
Read More
ALERT (CVE: 2023-28771)  Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs

CISA Flags Active Exploits in Apple iOS and TP-Link Routers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included two high-risk vulnerabilities in its Known Exploited Vulnerabilities (KEV)...
Read More
CISA Flags Active Exploits in Apple iOS and TP-Link Routers

10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online

SafetyDetectives’ Cybersecurity Team discovered a public post on a clear web forum in which a threat actor claimed to have...
Read More
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online

“An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash.”

Just like in HTTP/1, HTTP/2 also utilizes header fields in requests and responses. These header fields can form header lists, which are then serialized and divided into header blocks. These header blocks are further segmented into block fragments and transmitted within HEADER frames or CONTINUATION frames.

“The CONTINUATION frame (type=0x9) is used to continue a sequence of header block fragments,” the documentation for RFC 7540 reads.

“Any number of CONTINUATION frames can be sent, as long as the preceding frame is on the same stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION frame without the END_HEADERS flag set.”

The END_HEADERS flag set in the last frame signals the remote endpoint that it’s the end of the header block.

Nowotarski states that the CONTINUATION Flood is a more serious threat compared to the Rapid Reset attack that was revealed in October 2023.

“A single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation,” the researcher said. “Remarkably, requests that constitute an attack are not visible in HTTP access logs.”

The vulnerability is related to how HEADERS and multiple CONTINUATION frames are handled, which can lead to a DoS condition. Essentially, an attacker can create a never-ending stream of headers by sending HEADERS and CONTINUATION frames without the END_HEADERS flag, causing the HTTP/2 server to continuously parse and store them in memory.

While the exact outcome varies depending on the implementation, impacts range from instant crash after sending a couple of HTTP/2 frames and out of memory crash to CPU exhaustion, thereby affecting server availability.

“RFC 9113 […] mentions multiple security issues that may arise if CONTINUATION frames are not handled correctly,” Nowotarski said.

“At the same time, it does not mention a specific case in which CONTINUATION frames are sent without the final END_HEADERS flag which can have repercussions on affected servers.”

The issue impacts several projects such as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).

Upgrade affected software to the latest version for protection against potential threats. If no solution is available, consider temporarily disabling HTTP/2 on the server.

Source: CERT coordination center, thehackernews

Check Also

Patch Tuesday

Microsoft patch Tuesday fix exploited zero-day and 65 vuls patched

Microsoft’s June Patch Tuesday update has arrived, addressing 66 vulnerabilities across its product line. One …

Leave a Reply

Your email address will not be published. Required fields are marked *