Recent research has unveiled a significant vulnerability within the HTTP/2 protocol, known as the HTTP/2 CONTINUATION Flood. Security expert Bartek Nowotarski brought attention to this exploit, which enables denial-of-service (DoS) attacks by flooding servers with CONTINUATION frames. These frames, lacking proper limitations or sanitization in many HTTP/2 implementations, overload server memory and processing capabilities, potentially leading to crashes or performance degradation.
This vulnerability poses a more severe threat compared to previous exploits like the Rapid Reset attack, as it can disrupt server availability with just a single machine or a few frames. Moreover, the attack remains stealthy, as the malicious requests do not appear in HTTP access logs. The flaw arises from incorrect handling of HEADERS and multiple CONTINUATION frames without the necessary END_HEADERS flag, creating an endless stream of headers for servers to parse and store in memory.
Several widely-used projects, including Apache HTTP Server, Node.js, and Golang, are affected by this vulnerability, prompting urgent software updates to mitigate risks. However, if immediate patches are unavailable, temporarily disabling HTTP/2 on servers is advised as a precautionary measure. Despite the severity of the issue, it’s reassuring that the research community continues to uncover and address vulnerabilities, underscoring the importance of ongoing vigilance and prompt response to emerging threats in the digital landscape.
