RUSTSEC-2024-0332: Vulnerability in h2

Rust Crates.io Security Advisory


History
Edit
JSON (OSV)

RUSTSEC-2024-0332

Degradation of service in h2 servers with CONTINUATION Flood


Reported
Issued

Package

h2
(crates.io)

Type

Vulnerability

Categories
Keywords

#http

#http2

#h2

References
Patched
  • ^0.3.26
  • >=0.4.4

Description

An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely.
This results in an increase in CPU usage.

Tokio task budget helps prevent this from a complete denial-of-service, as the server can still
respond to legitimate requests, albeit with increased latency.

More details at “https://seanmonstar.com/blog/hyper-http2-continuation-flood/.

Patches available for 0.4.x and 0.3.x versions.

Advisory available under CC0-1.0
license.

READ MORE