Multiple Vulnerabilities in HTTP/2 Protocol

Published on 10 Apr 2024

A security researcher has disclosed a new Denial-of-Service (DoS) attack method which exploits HTTP/2 protocols affected by a class of vulnerabilities, codenamed HTTP/2 CONTINUATION Flood. This attack method is caused by the incorrect handling of HEADERS and multiple CONTINUATION frames.

HEADERS frames are used to carry HTTP header fields which contain metadata about the HTTP request or response to improve efficiency. As with other frames, the following flags can be set:

  •              END_HEADERS: when set, indicates that this frame contains all the headers they wanted to send,
  •              END_STREAM: when set, indicates that there will be no request/response body.

The frames also have a maximum size configured at the beginning of communication. If a single HEADER frame is not enough to store all the headers, it sends the frame with END_HEADERS flag unset and continues the stream of headers using CONTINUATION frame.

CONTINUATION frames are very similar to HEADER frames but they have just one flag, END_HEADERS. When set, it indicates that more headers are coming in the following CONTINUATION frames.

To illustrate, if headers exceed a single frame allowed size, they are split in a frame stream:

  •              HEADERS (no END_HEADERS flag),
  •              CONTINUATION (no flags),
  •              CONTINUATION (no flags),
  •              …
  •              CONTINUATION (END_HEADERS set),

However, when the END_HEADERS flag is incorrectly set, a request is not properly closed. Therefore, requests of malicious clients would not be saved to the access log, making this attack hard to debug. In many cases, analysing raw traffic bytes would be necessary to understand the nature of this vulnerability.

The vulnerabilities found in multiple implementations of the protocol are caused by the incorrect handling of HEADERS and multiple CONTINUATION frames, and involves sending a stream of CONTINUATION frames without the END_HEADERS flag to properly close the request.

Successful exploitation of these vulnerabilities could allow an attacker to launch DoS attacks against servers or cause an out of memory (OOM) crash.

Users and administrators of HTTP/2 implementations may refer to the CVE listings that reflect the vulnerabilities within various implementations at:

Users and administrators of affected implementations are advised to upgrade their software to the latest versions once available.

More information is available at: