The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-44487
Score elevated to 9.0 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2023-10-10), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 7.5 retained for reference. Confidence: HIGH.
- 1,535 internet-exposed hosts are running an affected version right now
- Actively exploited in the wild (CISA-KEV)
A fix is available — apply it.
1,535 internet-exposed hosts are running an affected version of CVE-2023-44487 right now.
EchelonGraph is the only CVE feed that fuses live vulnerability intelligence with its own live internet-exposure radar — so you see not just that a CVE is exploited, but how much of the internet is exposed to it right now.
- CVSS v3
- 7.5
- EG Score
- 9.0(high)
- EPSS
- 100.0%
- KEV
- ⚠ Exploited
Published
October 10, 2023
Last Modified
June 17, 2026
Advisory Details (10)
Auto-updated May 20, 2026Biggest DDoSes of all time generated by protocol 0-day in HTTP/2 - Ars Technica
https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
http://www.openwall.com/lists/oss-security/2023/10/20/8oss-security - CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
http://www.openwall.com/lists/oss-security/2023/10/19/6oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
http://www.openwall.com/lists/oss-security/2023/10/18/8oss-security - Vulnerability in Jenkins
http://www.openwall.com/lists/oss-security/2023/10/18/4oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
http://www.openwall.com/lists/oss-security/2023/10/13/9oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
http://www.openwall.com/lists/oss-security/2023/10/13/4oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
http://www.openwall.com/lists/oss-security/2023/10/10/7oss-security - CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
http://www.openwall.com/lists/oss-security/2023/10/10/6Vendor Advisories for CVE-2023-44487(20)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2026:0722Red Hat Product SecurityHigh
Red Hat Security Advisory: multicluster engine for Kubernetes v2.8.4 security update
- RHSA-2025:23529Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Advanced Cluster Management for Kubernetes 2.11.9 security update
- RHSA-2025:23528Red Hat Product SecurityHigh
Red Hat Security Advisory: multicluster engine for Kubernetes 2.6 security update
- RHSA-2025:16668Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.12 on RHEL 7 security update
- RHSA-2024:4631Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat OpenShift Dev Spaces 3.15.0 release
- RHEA-2024:1870Red Hat Product SecurityHigh
Red Hat Enhancement Advisory: Advisory for publishing Helm 3.13.2 GA release
- RHSA-2024:1770Red Hat Product SecurityHigh
Red Hat Security Advisory: OpenShift Container Platform 4.15.9 bug fix and security update
- RHSA-2024:1444Red Hat Product SecurityHigh
Red Hat Security Advisory: nodejs:16 security update
- +12 more
Patch Availability(30)
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(12 across 3 ecosystems)
Maven(10)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| com.typesafe.akka:akka-http-core | 3.0.0-RC1 | 10.5.3 | — |
| com.typesafe.akka:akka-http-core_2.11 | 10.0.0 ... 3.0.0-RC1 (58 versions) | — | — |
| com.typesafe.akka:akka-http-core_2.12 | 10.0.0 ... 10.5.2 (59 versions) | 10.5.3 | — |
| com.typesafe.akka:akka-http-core_2.13 | 10.1.10 ... 10.5.2 (31 versions) | 10.5.3 | — |
| org.apache.tomcat.embed:tomcat-embed-core | 8.5.0 ... 8.5.93 (78 versions) | 8.5.94 | — |
| org.apache.tomcat:tomcat-coyote | 8.5.0 ... 8.5.93 (78 versions) | 8.5.94 | — |
| org.eclipse.jetty.http2:http2-common | 11.0.0 ... 11.0.9 (17 versions) | 11.0.17 | — |
| org.eclipse.jetty.http2:http2-server | 11.0.0 ... 11.0.9 (17 versions) | 11.0.17 | — |
| org.eclipse.jetty.http2:jetty-http2-common | 12.0.0, 12.0.1 | 12.0.2 | — |
| org.eclipse.jetty.http2:jetty-http2-server | 12.0.0, 12.0.1 | 12.0.2 | — |
Go(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| golang.org/x/net | — | 0.17.0 | — |
Swift(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| github.com/apple/swift-nio-http2 | — | 1.28.0 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(22)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Microsoft MSRCCVE-2023-444872023-10-10
MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack
- Red HatRHBA-2023:5806IMPORTANT2023-10-10
RHBA-2023:5806 — Important
- Red HatRHBA-2023:5949IMPORTANT2023-10-10
RHBA-2023:5949 — Important
- Red HatRHBA-2023:6078IMPORTANT2023-10-10
RHBA-2023:6078 — Important
- Red HatRHBA-2023:6109IMPORTANT2023-10-10
RHBA-2023:6109 — Important
- Red HatRHBA-2023:6254IMPORTANT2023-10-10
RHBA-2023:6254 — Important
- Red HatRHBA-2023:6863IMPORTANT2023-10-10
RHBA-2023:6863 — Important
- Red HatRHBA-2023:7492IMPORTANT2023-10-10
RHBA-2023:7492 — Important
- Red HatRHBA-2024:0815IMPORTANT2023-10-10
RHBA-2024:0815 — Important
- Red HatRHEA-2023:6562IMPORTANT2023-10-10
RHEA-2023:6562 — Important
- Red HatRHEA-2023:6741IMPORTANT2023-10-10
RHEA-2023:6741 — Important
- Red HatRHEA-2023:7235IMPORTANT2023-10-10
RHEA-2023:7235 — Important
- Red HatRHEA-2023:7239IMPORTANT2023-10-10
RHEA-2023:7239 — Important
- Red HatRHEA-2023:7327IMPORTANT2023-10-10
RHEA-2023:7327 — Important
- Red HatRHEA-2024:0555IMPORTANT2023-10-10
RHEA-2024:0555 — Important
- Red HatRHSA-2023:5006IMPORTANT2023-10-10
RHSA-2023:5006 — Important
- Red HatRHSA-2023:5009IMPORTANT2023-10-10
RHSA-2023:5009 — Important
- Red HatRHSA-2023:5530IMPORTANT2023-10-10
RHSA-2023:5530 — Important
- Red HatRHSA-2023:5541IMPORTANT2023-10-10
RHSA-2023:5541 — Important
- Red HatRHSA-2023:5542IMPORTANT2023-10-10
RHSA-2023:5542 — Important
- Red HatRHSA-2023:5679IMPORTANT2023-10-10
RHSA-2023:5679 — Important
- Red HatRHSA-2023:5705IMPORTANT2023-10-10
RHSA-2023:5705 — Important
Data Freshness Timeline
(refreshed 82× in last 7d / 365× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 495 total refreshes for this CVE.
- 2026-07-07 09:03 UTCEG score recompute
- 2026-07-07 09:03 UTCVendor advisory
- 2026-07-07 04:53 UTCEG score recompute
- 2026-07-07 04:53 UTCVendor advisory
- 2026-07-07 00:43 UTCEG score recompute
- 2026-07-07 00:43 UTCVendor advisory
- 2026-07-06 20:33 UTCEG score recompute
- 2026-07-06 20:33 UTCVendor advisory
- 2026-07-06 16:23 UTCEG score recompute
- 2026-07-06 16:23 UTCVendor advisory
- 2026-07-06 12:10 UTCEG score recompute
- 2026-07-06 12:10 UTCVendor advisory
- 2026-07-06 07:57 UTCEG score recompute
- 2026-07-06 07:57 UTCVendor advisory
- 2026-07-06 03:47 UTCEG score recompute
- 2026-07-06 03:47 UTCVendor advisory
- 2026-07-05 23:36 UTCEG score recompute
- 2026-07-05 23:36 UTCVendor advisory
- 2026-07-05 19:26 UTCEG score recompute
- 2026-07-05 19:26 UTCVendor advisory
- 2026-07-05 15:15 UTCEG score recompute
- 2026-07-05 15:15 UTCVendor advisory
- 2026-07-05 11:05 UTCEG score recompute
- 2026-07-05 11:05 UTCVendor advisory
- 2026-07-05 06:53 UTCEG score recompute
Show 75 moreShow fewer
- 2026-07-05 06:53 UTCVendor advisory
- 2026-07-05 02:42 UTCEG score recompute
- 2026-07-05 02:42 UTCVendor advisory
- 2026-07-05 02:29 UTCEPSS rescore
- 2026-07-04 22:32 UTCEG score recompute
- 2026-07-04 22:32 UTCVendor advisory
- 2026-07-04 18:22 UTCEG score recompute
- 2026-07-04 18:22 UTCVendor advisory
- 2026-07-04 14:10 UTCEG score recompute
- 2026-07-04 14:10 UTCVendor advisory
- 2026-07-04 10:01 UTCEG score recompute
- 2026-07-04 10:01 UTCVendor advisory
- 2026-07-04 05:50 UTCEG score recompute
- 2026-07-04 05:50 UTCVendor advisory
- 2026-07-04 01:38 UTCEG score recompute
- 2026-07-04 01:38 UTCVendor advisory
- 2026-07-03 21:28 UTCEG score recompute
- 2026-07-03 21:28 UTCVendor advisory
- 2026-07-03 17:17 UTCEG score recompute
- 2026-07-03 17:17 UTCVendor advisory
- 2026-07-03 13:07 UTCEG score recompute
- 2026-07-03 13:07 UTCVendor advisory
- 2026-07-03 08:56 UTCEG score recompute
- 2026-07-03 08:56 UTCVendor advisory
- 2026-07-03 04:45 UTCEG score recompute
- 2026-07-03 04:45 UTCVendor advisory
- 2026-07-03 00:33 UTCEG score recompute
- 2026-07-03 00:33 UTCVendor advisory
- 2026-07-02 20:24 UTCEG score recompute
- 2026-07-02 20:24 UTCVendor advisory
- 2026-07-02 16:13 UTCEG score recompute
- 2026-07-02 16:13 UTCVendor advisory
- 2026-07-02 12:02 UTCEG score recompute
- 2026-07-02 12:02 UTCVendor advisory
- 2026-07-02 07:51 UTCEG score recompute
- 2026-07-02 07:51 UTCVendor advisory
- 2026-07-02 03:41 UTCEG score recompute
- 2026-07-02 03:41 UTCVendor advisory
- 2026-07-01 23:31 UTCEG score recompute
- 2026-07-01 23:31 UTCVendor advisory
- 2026-07-01 19:21 UTCEG score recompute
- 2026-07-01 19:21 UTCVendor advisory
- 2026-07-01 19:16 UTCCISA KEV update
- 2026-07-01 15:11 UTCEG score recompute
- 2026-07-01 15:11 UTCVendor advisory
- 2026-07-01 11:01 UTCEG score recompute
- 2026-07-01 11:01 UTCVendor advisory
- 2026-07-01 06:50 UTCEG score recompute
- 2026-07-01 06:50 UTCVendor advisory
- 2026-07-01 02:39 UTCEG score recompute
- 2026-07-01 02:39 UTCVendor advisory
- 2026-06-30 22:29 UTCEG score recompute
- 2026-06-30 22:29 UTCVendor advisory
- 2026-06-30 18:19 UTCEG score recompute
- 2026-06-30 18:19 UTCVendor advisory
- 2026-06-30 14:08 UTCEG score recompute
- 2026-06-30 14:08 UTCVendor advisory
- 2026-06-30 09:57 UTCEG score recompute
- 2026-06-30 09:57 UTCVendor advisory
- 2026-06-30 05:45 UTCEG score recompute
- 2026-06-30 05:45 UTCVendor advisory
- 2026-06-30 01:35 UTCEG score recompute
- 2026-06-30 01:35 UTCVendor advisory
- 2026-06-29 21:25 UTCEG score recompute
- 2026-06-29 21:25 UTCVendor advisory
- 2026-06-29 19:12 UTCCISA KEV update
- 2026-06-29 17:14 UTCEG score recompute
- 2026-06-29 17:14 UTCVendor advisory
- 2026-06-29 13:03 UTCEG score recompute
- 2026-06-29 13:03 UTCVendor advisory
- 2026-06-29 08:53 UTCEG score recompute
- 2026-06-29 08:53 UTCVendor advisory
- 2026-06-29 04:43 UTCEG score recompute
- 2026-06-29 04:43 UTCVendor advisory
- 2026-06-29 00:32 UTCEG score recompute
Publicly available exploits
(10 references)Working exploit code is in the public domain (9 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCtpirate/cve-2023-44487-POCFirst seen Dec 14, 2025
poc for the rst dos attack discovered in 2023
Open source ↗ - Exploit-DBEDB-52426First seen Sep 16, 2025
HTTP/2 2.0 - Denial Of Service (DOS)
Open source ↗ - GitHub PoCmoften/CVE-2023-44487-HTTP-2-Rapid-Reset-AttackFirst seen Apr 14, 2025
HTTP/2 Rapid Reset Exploit PoC
Open source ↗ - Open source ↗GitHub PoCthreatlabindonesia/CVE-2023-44487-HTTP-2-Rapid-Reset-Exploit-PoCFirst seen Dec 3, 2024
- GitHub PoCnxenon/cve-2023-44487First seen Nov 10, 2023
Examples for Implementing cve-2023-44487 ( HTTP/2 Rapid Reset Attack ) Concept
Open source ↗ - GitHub PoCndrscodes/http2-rst-stream-attackerFirst seen Nov 8, 2023
Highly configurable tool to check a server's vulnerability against CVE-2023-44487 by rapidly sending HEADERS and RST_STREAM frames and documenting the server's responses.
Open source ↗ - Open source ↗GitHub PoCReToCode/golang-CVE-2023-44487First seen Oct 25, 2023
- GitHub PoCstudiogangster/CVE-2023-44487First seen Oct 16, 2023
A python based exploit to test out rapid reset attack (CVE-2023-44487)
Open source ↗ - GitHub PoCsecengjeff/rapidresetclientFirst seen Oct 13, 2023
Tool for testing mitigations and exposure to Rapid Reset DDoS (CVE-2023-44487)
Open source ↗ - GitHub PoCAppsynergy-io/CVE-2023-44487First seen Oct 11, 2023
Proof of concept for DoS exploit
Open source ↗
Related CVEs(same vendor + same CWE)
Same vendor
10 shownmsrc · redhat
Same CWE
10 shownCWE-400
Frequently asked(6)
What is CVE-2023-44487?
When was CVE-2023-44487 disclosed?
Is CVE-2023-44487 actively exploited?
What is the CVSS score of CVE-2023-44487?
Which products are affected by CVE-2023-44487?
How do I remediate CVE-2023-44487?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2023-44487
Is Your Infrastructure Affected by CVE-2023-44487?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.