Unrated severityNVD Advisory· Published Oct 11, 2024· Updated Oct 11, 2024
H2O assertion failure when HTTP/3 requests are cancelled
CVE-2024-45403
Description
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. The vulnerability has been addressed in commit 1ed32b2. Users may disable the use of HTTP/3 to mitigate the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- h2o/h2ov5Range: >= 16b13eee8ad7895b4fe3fcbcabee53bd52782562, < 1ed32b23f999acf0c5029f09c8525f93eb1d354c
Patches
Vulnerability mechanics
References
4- github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562mitrex_refsource_MISC
- github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f09c8525f93eb1d354cmitrex_refsource_MISC
- github.com/h2o/h2o/security/advisories/GHSA-4xp5-3jhc-3m92mitrex_refsource_CONFIRM
- h2o.examp1e.net/configure/http3_directives.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.