CVE-2023-45802

MEDIUM

Apache HTTP Server 2.4.17-2.4.57 - Denial of Service via HTTP/2 Stream Reset

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-45802. PoCs published by MehranTurk.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2023-45802, which targets a memory exhaustion vulnerability in Apache HTTP Server versions 2.4.17 through 2.4.57. The exploit uses HTTP/2 Rapid Reset attacks to create and immediately reset a large number of streams, causing memory exhaustion on vulnerable servers.

Description

When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.

Exploits (1)

nomisec WORKING POC

by MehranTurk · poc

https://github.com/MehranTurk/CVE-2023-45802

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2023-45802, which targets a memory exhaustion vulnerability in Apache HTTP Server versions 2.4.17 through 2.4.57. The exploit uses HTTP/2 Rapid Reset attacks to create and immediately reset a large number of streams, causing memory exhaustion on vulnerable servers.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Apache HTTP Server 2.4.17 through 2.4.57

No auth needed

Prerequisites: HTTP/2 support on target server · TLS/SSL support on target server

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Apr 20, 2026 Full analysis →

References (6)

Core 6

Core References

Mailing List, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20231027-0011/

Vendor Advisory vendor-advisory

https://httpd.apache.org/security/vulnerabilities_24.html

Scores

CVSS v3 5.9

EPSS 0.0302

EPSS Percentile 85.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-404

Status published

Products (5)

apache/http_server 2.4.17 - 2.4.58

debian/debian_linux 10.0

fedoraproject/fedora 37

fedoraproject/fedora 38

fedoraproject/fedora 39

Published Oct 23, 2023

Tracked Since Feb 18, 2026