CVE Catalog

CVE-2023-54365

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.56%

42th percentile — higher than 42% of all known CVEs

Summary

A vulnerability in Traefik before 2.10.5 and 3.0.0-beta4 allows a denial-of-service attack via rapid creation and cancellation of HTTP/2 streams (Rapid Reset technique). The issue originates from the Go standard library's HTTP/2 implementation.

Risk Assessment

A remote attacker can exhaust server resources, causing service unavailability. This may lead to application downtime and financial losses.

Recommendation

Immediately upgrade Traefik to version 2.10.5 or later (for 2.x branch) and to version 3.0.0-beta5 or later (for 3.x branch).

Original NVD description (English source)

Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS