RUSTSEC-2024-0003: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS) #686
Labels
Comments
|
Issue has been automatically marked as stale due to inactivity for 90 days. Update the issue to remove label, otherwise it will be automatically closed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
h20.2.7^0.3.24,>=0.4.2An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the
generation of reset frames on the victim endpoint.
By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion,
resulting in Out Of Memory (OOM) and high CPU usage.
This fix is corrected in hyperium/h2#737, which limits the total number of
internal error resets emitted by default before the connection is closed.
See advisory page for additional details.
The text was updated successfully, but these errors were encountered: