CVE-2023-43622

HIGH

Apache HTTP Server 2.4.55-2.4.57 - Denial of Service via HTTP/2 Zero Window Size

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-43622. PoCs published by visudade.

AI-analyzed exploit summary This PoC exploits CVE-2023-43622 by manipulating HTTP/2 window sizes to trigger a DoS condition. It floods the target with HTTP/2 requests with a window size of 0, causing resource exhaustion.

Description

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.

Exploits (1)

nomisec WORKING POC 1 stars
by visudade · poc
https://github.com/visudade/CVE-2023-43622

This PoC exploits CVE-2023-43622 by manipulating HTTP/2 window sizes to trigger a DoS condition. It floods the target with HTTP/2 requests with a window size of 0, causing resource exhaustion.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: HTTP/2 servers (specific vendor/version not specified)
No auth needed
Prerequisites: Network access to target server · HTTP/2 support on target
mistral-large-3 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.7059
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-400
Status published
Products (1)
apache/http_server 2.4.55 - 2.4.58
Published Oct 23, 2023
Tracked Since Feb 18, 2026