HTTP/2: A New Vulnerability Threatens the Entire Internet
Attention Administrators: Your Servers May Be at Risk!
If you thought this would be a quiet week, I have some bad news. Security researchers have just disclosed a new, potentially catastrophic vulnerability in the HTTP/2 protocol. It has been dubbed "CONTINUATION Flood" (designated CVE-2025-43177), and it looks like it could cause a lot of trouble.
How Does the "CONTINUATION Flood" Attack Work?
In a nutshell, the HTTP/2 protocol, which powers a significant portion of the modern internet, has a flaw. An attacker can send a series of specially crafted packets (CONTINUATION frames) to a server without a proper termination signal. The server, attempting to process this endless stream of data, consumes all available RAM and CPU power, leading to it freezing or becoming completely paralyzed.
The worst part is that a single connection and a single computer are enough to carry out such an attack. You don't need an army of botnets to take down even a powerful machine. This makes "CONTINUATION Flood" an extremely dangerous tool for conducting Denial of Service (DoS) attacks.
What Does the Attack Look Like Step-by-Step?
To better understand what's happening "under the hood," let's walk through a simplified attack scenario. Imagine a conversation between a client and a server:
- Establishing a Connection: The attacker connects to the victim's server using the HTTP/2 protocol. This is a standard, innocent start to any session.
- Sending Headers: The attacker begins to send a request, starting with a
HEADERSframe. Think of it as starting a letter by writing the recipient's address. However, a small technical detail is key here: theEND_HEADERSflag is not set in this frame. This signals to the server, "Hey, this isn't all the headers, I'll send the rest in subsequent packets!" - The Flood of Continuations: Instead of finishing the headers, the attacker starts sending a continuous stream of subsequent frames –
CONTINUATIONframes. None of them have theEND_HEADERSflag either. - Resource Exhaustion: The server obediently receives each
CONTINUATIONframe, assembles them in memory, and waits for the end signal that never arrives. This leads to a rapid exhaustion of memory (RAM) and pushes CPU usage to 100%, ultimately causing the server to crash and resulting in a denial of service for legitimate users.
The "genius" of this attack lies in using a legitimate feature of the protocol in a malicious way, making it difficult to detect with traditional security systems.
Who Is Vulnerable?
The issue affects many popular implementations of the HTTP/2 protocol. The list of vulnerable technologies includes, among others:
- Node.js
- Apache HTTP Server
- Envoy
- Tempesta FW
- And many other libraries and servers.
If you manage a web infrastructure, there's a high probability that this problem affects you too.
What to Do? How to Live?
Fortunately, software vendors have already responded. Updates and patches that fix this critical vulnerability are now available. The recommendation is simple and straightforward: update your server software immediately! Delaying could cost you service stability and a lot of stress.
It seems we're in for a busy period of patching and securing systems. Stay vigilant!
Source: BleepingComputer
Aleksander
About the Author
Dyrektor ds. Technologii w SecurHub.pl
Doktorant z zakresu neuronauki poznawczej. Psycholog i ekspert IT specjalizujący się w cyberbezpieczeństwie.
Powiązane artykuły
Krytyczna Podatność "SessionReaper" w Adobe Commerce i Magento
Adobe ostrzega przed krytyczną podatnością CVE-2025-54236 „SessionReaper”, która pozwala na przejęcie kont klientów w platformach Adobe Commerce i Magento.
Najważniejsze krytyczne podatności tygodnia: wrzesień 2025
Przegląd najgroźniejszych podatności cyberbezpieczeństwa zgłoszonych w drugim tygodniu września 2025 – priorytetowe luki dotyczą Windows, Microsoft Office, Android oraz ICS.
Cl0p kradnie dane przez lukę w Oracle – czy twoja firma jest następna w kolejce?
Grupa ransomware Cl0p wykorzystała zero-day w Oracle E-Business Suite (CVE-2025-61882), kradnąc dane od wielu firm w sierpniu. Oracle właśnie wydał łatkę, ale eksperci ostrzegają: sprawdźcie swoje systemy natychmiast, bo ataki trwają.
Komentarze
Ładowanie komentarzy...