CVE-2023-44487

CVE Details

Visit the official vulnerability details page for CVE-2023-44487 to learn more.

Initial Publication

10/25/2024

Last Update

09/02/2025

Third Party Dependency

golang.org/x/net

NIST CVE Summary

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE Severity

7.5

Our Official Summary

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption.

There is a known active exploit reported by CISA. The containers in which this CVE is reported on, are not exposed to the public. Exploiting this vulnerability on these containers will require privileged access and execution of code within the internal network or on the container. There are controls in place to prevent unauthenticated access and remote code execution. Impact of an exploit is limited to the container attack surface.

Status

Ongoing

Affected Products & Versions

Version	Palette Enterprise	Palette Enterprise Airgap	VerteX	VerteX Airgap
4.7.16	⚠️ Impacted	✅ No Impact	⚠️ Impacted	✅ No Impact
4.6.41	⚠️ Impacted	✅ No Impact	⚠️ Impacted	✅ No Impact
4.5.22	⚠️ Impacted	⚠️ Impacted	⚠️ Impacted	⚠️ Impacted
4.4.20	⚠️ Impacted	⚠️ Impacted	⚠️ Impacted	⚠️ Impacted

Revision History

Date	Revision
05/27/2025	Official summary revised: A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. There is a known active exploit reported by CISA. The containers in which this CVE is reported on, are not exposed to the public. Exploiting this vulnerability on these containers will requireprivileged access and execution of code within the internal network or on the container. There are controls in place to prevent unauthenticated access and remote code execution. Impact of an exploit is limited to the container attack surface.

Date

Revision

05/27/2025

Official summary revised: A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. There is a known active exploit reported by CISA. The containers in which this CVE is reported on, are not exposed to the public. Exploiting this vulnerability on these containers will requireprivileged access and execution of code within the internal network or on the container. There are controls in place to prevent unauthenticated access and remote code execution. Impact of an exploit is limited to the container attack surface.

CVE Details​

Initial Publication​

Last Update​

Third Party Dependency​

NIST CVE Summary​

CVE Severity​

Our Official Summary​

Status​

Affected Products & Versions​

Revision History​