Degradation of service in h2 servers with CONTINUATION Flood
Details
Package
h2
Version
0.4.3
Date
2024-04-03
Patched versions
^0.3.26,>=0.4.4
An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely.
This results in an increase in CPU usage.
Tokio task budget helps prevent this from a complete denial-of-service, as the server can still
respond to legitimate requests, albeit with increased latency.
h20.4.3^0.3.26,>=0.4.4An attacker can send a flood of CONTINUATION frames, causing
h2to process them indefinitely. This results in an increase in CPU usage.Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency.
More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/.
Patches available for 0.4.x and 0.3.x versions.
See advisory page for additional details.