CVE-2023-54365
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk42th percentile — higher than 42% of all known CVEs
Summary
A vulnerability in Traefik before 2.10.5 and 3.0.0-beta4 allows a denial-of-service attack via rapid creation and cancellation of HTTP/2 streams (Rapid Reset technique). The issue originates from the Go standard library's HTTP/2 implementation.
Risk Assessment
A remote attacker can exhaust server resources, causing service unavailability. This may lead to application downtime and financial losses.
Recommendation
Immediately upgrade Traefik to version 2.10.5 or later (for 2.x branch) and to version 3.0.0-beta5 or later (for 3.x branch).
Original NVD description (English source)
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.

