h2o HTTP Server Vulnerability: Crash and DoS Exploit
CVE-2024-45403

7.5HIGH

Key Information:

Vendor
H2o
Status
H2o
Vendor
CVE Published:
11 October 2024

Summary

h2o is a versatile HTTP server that offers support for HTTP/1.x, HTTP/2, and HTTP/3 protocols. A vulnerability has been identified in the server’s functionality when operating as a reverse proxy. Specifically, if a client cancels an HTTP/3 request, it could lead to the server crashing due to an assertion failure. This event can be exploited for Denial-of-Service attacks, causing disruptions to concurrently served HTTP requests, although the standalone server has an automatic restart feature that mitigates overall system impact. Users are advised to disable HTTP/3 to address potential risks, and the issue has been documented in commit 1ed32b2.

Affected Version(s)

h2o >= 16b13eee8ad7895b4fe3fcbcabee53bd52782562, < 1ed32b23f999acf0c5029f09c8525f93eb1d354c

References

https://github.com/h2o/h2o/security/advisories/GHSA-4xp5-...
x_refsource_CONFIRM
https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcb...
x_refsource_MISC
https://github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f0...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.