CVE-2024-45403

low-risk

Published 2024-10-11

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. The vulnerability has been addressed in commit 1ed32b2. Users may disable the use of HTTP/3 to mitigate the issue.

Do I need to act?

0.33% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.7/10 Low

NETWORK / HIGH complexity

Affected Products (1)

H2O

Affected Vendors

Dena

References (4)

Patch https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562

Patch https://github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f09c8525f93eb1d354c

Vendor Advisory https://github.com/h2o/h2o/security/advisories/GHSA-4xp5-3jhc-3m92

Product https://h2o.examp1e.net/configure/http3_directives.html

/ 100

low-risk

Severity 13/34 · Low

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal