CVE-2023-44487

HIGHNVD 7.59.0▲Trending — 5 sources updated this weekExploited in the wild

7.5

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS v3: 7.5
EG Score: 9.0(high)
EPSS: 100.0%
KEV: ⚠ Exploited

Published

October 10, 2023

Last Modified

May 12, 2026

Advisory Details (10)

Auto-updated May 20, 2026

Patch available. Sources: redhat.

generic

Biggest DDoSes of all time generated by protocol 0-day in HTTP/2 - Ars Technica

https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/

redhat Patch Available

cve-details

https://access.redhat.com/security/cve/cve-2023-44487

generic

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

http://www.openwall.com/lists/oss-security/2023/10/20/8

generic

oss-security - CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST

http://www.openwall.com/lists/oss-security/2023/10/19/6

generic

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

http://www.openwall.com/lists/oss-security/2023/10/18/8

generic

oss-security - Vulnerability in Jenkins

http://www.openwall.com/lists/oss-security/2023/10/18/4

generic

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

http://www.openwall.com/lists/oss-security/2023/10/13/9

generic

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

http://www.openwall.com/lists/oss-security/2023/10/13/4

generic

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

http://www.openwall.com/lists/oss-security/2023/10/10/7

generic

oss-security - CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

http://www.openwall.com/lists/oss-security/2023/10/10/6

Vendor Advisories for CVE-2023-44487(20)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Patch Availability(30)

Vendor / Ecosystem	Fixed in / Patch	Released	Source
redhat	multicluster-engine/kube-rbac-proxy-mce-rhel9:1766274324	2026-01-15	redhat
redhat	rhacm2/kube-rbac-proxy-rhel9:v2.11	2025-12-17	redhat
redhat	multicluster-engine/kube-rbac-proxy-mce-rhel9:v2.6	2025-12-17	redhat
redhat	eap7-wildfly-0:7.1.12-2.GA_redhat_00002.1.ep7.el7	2025-09-25	redhat
redhat	devspaces/udi-rhel8:3.15-5	2024-07-18	redhat
redhat	rhceph/snmp-notifier-rhel9:1.2.1-57	2024-05-01	redhat
redhat	helm-0:3.13.2-35.el9	2024-04-18	redhat
redhat	openshift4/ovirt-csi-driver-rhel8-operator:v4.15.0-202404030309.p0.ge9b0fa2.assembly.stream.el8	2024-04-16	redhat
redhat	nodejs:16-8090020240315081818.a75119d5	2024-03-20	redhat
redhat	rhdh/rhdh-hub-rhel9:1.1-97	2024-03-18	redhat
redhat	kube-descheduler-operator/kube-descheduler-rhel9-operator:v5.0-14	2024-03-06	redhat
redhat	run-once-duration-override-operator/run-once-duration-override-rhel9-operator:v1.1-5	2024-02-28	redhat
redhat	openshift4/ovirt-csi-driver-rhel9:v4.15.0-202401261531.p0.gb8d25ad.assembly.stream	2024-02-27	redhat
redhat	openshift-sandboxed-containers/osc-rhel9-operator:1.5.2-3	2024-02-15	redhat
redhat	jenkins-0:2.426.3.1706516352-3.el8	2024-02-12	redhat
redhat	albo/aws-load-balancer-rhel8-operator:1.1.1-1	2024-01-30	redhat
redhat	mta/mta-cli-rhel9:7.0.0-44	2024-01-30	redhat
redhat	openshift4/ose-openshift-apiserver-rhel8:v4.13.0-202312040608.p0.g6c07330.assembly.stream	2023-12-13	redhat
redhat	openshift4/ose-gcp-cloud-controller-manager-rhel8:v4.14.0-202311300410.p0.g09e96a9.assembly.stream	2023-12-12	redhat
redhat	rhceph/rhceph-6-dashboard-rhel9:6-82	2023-12-12	redhat
redhat	openshift-pipelines/pipelines-workingdirinit-rhel8:v1.10.6-10	2023-12-07	redhat
redhat	container-native-virtualization/virt-artifacts-server-rhel9:v4.14.1-4	2023-12-07	redhat
redhat	openshift-pipelines-client-0:1.10.6-11031.el8	2023-12-07	redhat
redhat	cri-o-0:1.25.5-2.rhaos4.12.git0217273.el8	2023-12-06	redhat
redhat	undertow	2023-12-05	redhat
redhat	eap7-wildfly-transaction-client-0:1.1.16-1.Final_redhat_00001.1.el7eap	2023-12-04	redhat
redhat	eap7-wildfly-transaction-client-0:1.1.16-1.Final_redhat_00001.1.el8eap	2023-12-04	redhat
redhat	patch	2023-12-04	redhat
redhat	eap7-wildfly-0:7.4.14-5.GA_redhat_00002.1.el9eap	2023-12-04	redhat
redhat	cri-o-0:1.24.6-6.1.rhaos4.11.git7f73171.el8_6	2023-11-29	redhat

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Affected Packages

(12 across 3 ecosystems)

Maven(10)

Package	Vulnerable range	Fixed in	Dependents
com.typesafe.akka:akka-http-core	3.0.0-RC1	10.5.3	—
com.typesafe.akka:akka-http-core_2.11	10.0.0 ... 3.0.0-RC1 (58 versions)	—	—
com.typesafe.akka:akka-http-core_2.12	10.0.0 ... 10.5.2 (59 versions)	10.5.3	—
com.typesafe.akka:akka-http-core_2.13	10.1.10 ... 10.5.2 (31 versions)	10.5.3	—
org.apache.tomcat.embed:tomcat-embed-core	8.5.0 ... 8.5.93 (78 versions)	8.5.94	—
org.apache.tomcat:tomcat-coyote	8.5.0 ... 8.5.93 (78 versions)	8.5.94	—
org.eclipse.jetty.http2:http2-common	11.0.0 ... 11.0.9 (17 versions)	11.0.17	—
org.eclipse.jetty.http2:http2-server	11.0.0 ... 11.0.9 (17 versions)	11.0.17	—
org.eclipse.jetty.http2:jetty-http2-common	12.0.0, 12.0.1	12.0.2	—
org.eclipse.jetty.http2:jetty-http2-server	12.0.0, 12.0.1	12.0.2	—

Go(1)

Package	Vulnerable range	Fixed in	Dependents
golang.org/x/net	—	0.17.0	—

Swift(1)

Package	Vulnerable range	Fixed in	Dependents
github.com/apple/swift-nio-http2	—	1.28.0	—

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

CWE-400Uncontrolled Resource Consumption (Denial of Service)

Additional Vendor Advisories

(22)

Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.

Data Freshness Timeline

(refreshed 20× in last 7d / 20× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-06-03 14:12 UTCEG score recompute
2026-06-03 14:12 UTCVendor advisory
2026-06-03 10:02 UTCEG score recompute
2026-06-03 10:02 UTCVendor advisory
2026-06-03 05:52 UTCEG score recompute
2026-06-03 05:52 UTCVendor advisory
2026-06-03 01:42 UTCEG score recompute
2026-06-03 01:42 UTCVendor advisory
2026-06-02 21:32 UTCEG score recompute
2026-06-02 21:32 UTCVendor advisory
2026-06-02 18:32 UTCkev_newly_listed
2026-06-02 17:22 UTCEG score recompute
2026-06-02 17:22 UTCVendor advisory
2026-06-02 13:12 UTCEG score recompute
2026-06-02 13:12 UTCVendor advisory
2026-06-02 09:02 UTCEG score recompute
2026-06-02 09:02 UTCVendor advisory
2026-06-02 04:52 UTCEG score recompute
2026-06-02 04:52 UTCVendor advisory
2026-06-02 00:42 UTCEG score recompute

Publicly available exploits

(10 references)

Working exploit code is in the public domain (9 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

GitHub PoCtpirate/cve-2023-44487-POC
First seen Dec 14, 2025
poc for the rst dos attack discovered in 2023
Open source ↗
Exploit-DBEDB-52426
First seen Sep 16, 2025
HTTP/2 2.0 - Denial Of Service (DOS)
Open source ↗
GitHub PoCthreatlabindonesia/CVE-2023-44487-HTTP-2-Rapid-Reset-Exploit-PoC
First seen Dec 3, 2024
Open source ↗
GitHub PoCnxenon/cve-2023-44487
First seen Nov 10, 2023
Examples for Implementing cve-2023-44487 ( HTTP/2 Rapid Reset Attack ) Concept
Open source ↗
GitHub PoCndrscodes/http2-rst-stream-attacker
First seen Nov 8, 2023
Highly configurable tool to check a server's vulnerability against CVE-2023-44487 by rapidly sending HEADERS and RST_STREAM frames and documenting the server's responses.
Open source ↗
GitHub PoCReToCode/golang-CVE-2023-44487
First seen Oct 25, 2023
Open source ↗
GitHub PoCstudiogangster/CVE-2023-44487
First seen Oct 16, 2023
A python based exploit to test out rapid reset attack (CVE-2023-44487)
Open source ↗
GitHub PoCsecengjeff/rapidresetclient
First seen Oct 13, 2023
Tool for testing mitigations and exposure to Rapid Reset DDoS (CVE-2023-44487)
Open source ↗
GitHub PoCAppsynergy-io/CVE-2023-44487
First seen Oct 11, 2023
Proof of concept for DoS exploit
Open source ↗
GitHub PoCbcdannyboy/CVE-2023-44487
First seen Oct 10, 2023
Basic vulnerability scanning to see if web servers may be vulnerable to CVE-2023-44487
Open source ↗

Frequently asked(6)

What is CVE-2023-44487?

CVE-2023-44487 is a high vulnerability published on October 10, 2023. The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

When was CVE-2023-44487 disclosed?

CVE-2023-44487 was first published in the National Vulnerability Database on October 10, 2023, with the most recent update on May 12, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2023-44487 actively exploited?

Yes. CISA added CVE-2023-44487 to the Known Exploited Vulnerabilities catalog on October 10, 2023, affecting IETF HTTP/2. KEV listing indicates confirmed exploitation in the wild; this CVE warrants immediate patching attention.

What is the CVSS score of CVE-2023-44487?

CVE-2023-44487 has a CVSS v3 base score of 7.5 (NVD). EchelonGraph synthesises NVD + CISA KEV + FIRST EPSS + GHSA into a combined EG score of 9.0.

Which products are affected by CVE-2023-44487?

CVE-2023-44487 affects IETF HTTP/2. The full affected-products list, including version ranges and fixed versions, is shown in the Affected Packages section of this page.

How do I remediate CVE-2023-44487?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2023-44487, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2023-44487

Explore →

Is Your Infrastructure Affected by CVE-2023-44487?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2023-44487

Published

Last Modified

Advisory Details (10)

Biggest DDoSes of all time generated by protocol 0-day in HTTP/2 - Ars Technica

cve-details

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - Vulnerability in Jenkins

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

Vendor Advisories for CVE-2023-44487(20)

Patch Availability(30)

Affected Packages

Weakness Classification(1)

Additional Vendor Advisories

Data Freshness Timeline

Publicly available exploits

Frequently asked(6)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2023-44487?

Same vendor

Same CWE

CVE-2023-44487

📅 Published

🔄 Last Modified

📋 Advisory Details (10)

Biggest DDoSes of all time generated by protocol 0-day in HTTP/2 - Ars Technica

cve-details

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - Vulnerability in Jenkins

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

📣 Vendor Advisories for CVE-2023-44487(20)

Patch Availability(30)

Affected Packages

Weakness Classification(1)

Additional Vendor Advisories

Data Freshness Timeline

Publicly available exploits

❓ Frequently asked(6)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2023-44487?

🔗 Related CVEs(same vendor + same CWE)

Same vendor

Same CWE

Published

Last Modified

Advisory Details (10)

Vendor Advisories for CVE-2023-44487(20)

Frequently asked(6)

Related CVEs(same vendor + same CWE)