CVE-2023-54365
Analyzed
Analyzed - Analysis Complete
HTTP/2 Rapid Reset DoS in Traefik
Vulnerability report for CVE-2023-54365, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-23
Last updated on: 2026-07-13
Assigner: VulnCheck
Description
Description
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| traefik | traefik | 3.0.0 |
| traefik | traefik | 3.0.0 |
| traefik | traefik | 3.0.0 |
| traefik | traefik | to 2.10.5 (exc) |
| golang | go | From 1.21.0 (inc) to 1.21.3 (exc) |
| golang | go | to 1.20.10 (exc) |
| redhat | openshift_ai | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |