Apache HTTP Server is one of the most widely used web servers on the Internet, acting as the backbone infrastructure for a significant portion of web-exposed applications, APIs, and services. Its reliability is critical to the availability of numerous online businesses.
This vulnerability presents a high risk of unauthenticated remote Denial of Service (DoS). An attacker can crash any vulnerable, publicly accessible Apache server without the need for credentials or prior access. This enables simple, repeatable attacks that can cause significant service downtime, resulting in lost revenue, customer dissatisfaction, and reputational damage.
Although this specific CVE is not yet in CISA’s Known Exploited Vulnerabilities (KEV) catalog, it is a variant of the well-known HTTP/2 Rapid Reset attack (CVE-2023-44487), which is widely exploited in the wild. A public proof-of-concept exploit is available for CVE-2023-45802, significantly lowering the barrier for attackers. Any organization running a publicly exposed Apache HTTP Server with the mod_http2 module enabled is at immediate risk.
| Product | Apache HTTP Server |
| Date | 2025-12-06 12:29:58 |
Technical Summary
The root cause of this vulnerability is a memory leak (CWE-401: Failure to Release Memory After Lifecycle Completion) within the server’s mod_http2 module. The software does not correctly deallocate memory associated with an HTTP/2 stream when it is canceled by a client via an RST_STREAM frame.
The technical attack sequence is as follows:
- An attacker establishes a persistent HTTP/2 connection with a vulnerable server.
- The attacker sends a request to initiate a new stream.
- Immediately after sending the request, the attacker sends an
RST_STREAMframe to cancel that same stream. - The
mod_http2handler processes the reset but does not release the memory allocated for the initial request context. - The attacker repeats this “request and reset” cycle thousands of times over the same connection, causing the Apache server’s memory consumption to grow linearly and without limit. Eventually, the operating system terminates the process to prevent system-wide instability, resulting in a Denial of Service.
// Conceptual pseudo-code of the flawed logic
void handle_stream_reset(h2_stream* stream) {
// Logic to tear down the stream is executed.
// ...
// VULNERABILITY: The memory allocated for the stream's
// request context and associated data is NOT released here.
// free(stream->request_memory); // <-- This step is missing.
}
- Affected versions: Apache HTTP Server 2.4.57 and 2.4.58.
- Fixed version: Apache HTTP Server 2.4.59 and later.
Recommendations
Immediate Patching: Update all Apache HTTP Server instances to the fixed version 2.4.59 or later. This is the most effective form of mitigation.
Mitigations:
- If updating immediately is not possible, consider temporarily disabling the HTTP/2 protocol. This can be done by commenting out the
LoadModule http2_moduleline in the server configuration and restarting the service. Note that this may have implications for web application performance. - Place the server behind a reverse proxy, load balancer, or Content Delivery Network (CDN) that has implemented mitigations against HTTP/2-based DoS attacks like Rapid Reset.
- If updating immediately is not possible, consider temporarily disabling the HTTP/2 protocol. This can be done by commenting out the
-
Threat hunting & monitoring:
- Implement and monitor alerts for abnormal and prolonged increases in memory usage for
httpd(or equivalent) server processes. The memory growth resulting from this attack is constant and typically does not decrease over time. - While difficult to detect in standard logs, specialized network monitoring or Web Application Firewall (WAF) logs may reveal individual client IPs establishing persistent HTTP/2 connections with an abnormal rate of stream creation and reset.
- Implement and monitor alerts for abnormal and prolonged increases in memory usage for
-
Incident response:
- If an attack is in progress, identify the source IP address and apply a temporary block at the network firewall or perimeter device level.
- Before restarting a crashed server process, attempt to collect a memory dump for forensic analysis if required by your incident response procedures.
-
Defense in depth:
- Ensure automated monitoring and alerting systems are active for all critical server health parameters, including memory, CPU, and connection count.
- Implement a Web Application Firewall (WAF) with HTTP/2 traffic inspection and rate-limiting capabilities to prevent abusive behavior.
[Callforaction-THREAT-Footer]
