The Rising Threat of HTTP/2 Vulnerabilities: From Rapid Reset to Continuation Flood CVE-2024-27316, CVE-2024-24549

HTTP/2 vulnerability, Continuation Flood attack, Rapid Reset DDoS, cybersecurity threats, Apache HTTP Server CVE-2024-27316, Envoy CVE-2024-27919, Node.js security patch, AMPHP CVE-2024-2653, Apache Tomcat CVE-2024-24549, Golang CVE-2023-45288, Nghttp2 CVE-2024-28182, Tempesta FW CVE-2024-2758, vulnerability mitigation strategies, protocol security enhancements
ASPM, HTTP/2 vulnerability, Continuation Flood attack, Rapid Reset DDoS, cybersecurity threats, Apache HTTP Server CVE-2024-27316, Envoy CVE-2024-27919, Node.js security patch, AMPHP CVE-2024-2653, Apache Tomcat CVE-2024-24549, Golang CVE-2023-45288, Nghttp2 CVE-2024-28182, Tempesta FW CVE-2024-2758, vulnerability mitigation strategies, protocol security enhancements"

At the beginning of the year, we had a flood of DDoS due to HTTP/2 failure, a series of vulnerabilities like CVE-2024-27316, CVE-2024-24549, and others can cause DDoS, in systems like software components like AMPHP, Apache HTTP Server, Apache Tomcat, Apache Traffic Server, Envoy, Golang, Node.js, Nghttp2, and Tempesta FW calling for ASPM and urgent attention for upgrading. This article delves into two significant vulnerabilities—Rapid Reset and the HTTP/2 Continuation Flood—highlighting their impact and the urgent call for mitigation efforts, particularly concerning software components like AMPHP, Apache HTTP Server, Apache Tomcat, Apache Traffic Server, Envoy, Golang, Node.js, Nghttp2, and Tempesta FW.

Understanding the HTTP/2 Protocol

HTTP/2 was designed to enhance web performance and efficiency. However, like any technological advancement, it introduced new vulnerabilities that malicious actors could exploit. The discovery of the ASPM vulnerability, along with others, has brought to light the ongoing vulnerability campaign aimed at exploiting these weaknesses, particularly through DDoS (Distributed Denial of Service) attacks.

The main difference between HTTP/1.1 and HTTP/2 is that the later is a binary protocol and client and server exchange frames instead of text lines. There are many frame types, including some control frames that does not transmit data but rather allow configuration of an HTTP/2 session (like SETTINGS or WINDOW_UPDATE). To make this vulnerability easy to understand I need to present two frames: HEADERS frame and CONTINUATION frame. For those who would like to catch up, the best way to learn it is by reading RFC9204.

The Emergence of Rapid Reset and HTTP/2 Continuation Flood

CONTINUATION frames are very similar to HEADER frames but they have just one flag: END_HEADERS which has the same function: when set the counterparty knows that more headers are coming in the following CONTINUATION frames.

Rapid Reset emerged as a formidable exploit, leveraging the HTTP/2 protocol’s stream cancellation feature to launch significant DDoS attacks. This vulnerability demonstrated the potential for even small botnets to cause substantial disruptions, making it a wake-up call for the cybersecurity community.

However, the HTTP/2 Continuation Flood has since been identified as an even more severe threat. Discovered by security researchers, this vulnerability exploits the protocol’s handling of CONTINUATION frames, leading to server instability, crashes, or memory exhaustion. Its stealthy nature—leaving no trace in HTTP access logs—compounds the challenge of detection and mitigation.

The attack uses an infinite chain of continuation

Reference https://nowotarski.info/http2-continuation-flood-technical-details

Exploitability

Despite not having evidence of exploit at scale, due to the DDoS nature and simplicity of attack is recommended high attention

Also, due to the nature of the embedded device and HTTP service, several 3rd party software will be affected:e.g. arista

more of those will come as the vulnerability evolves

Affected Software and the Call for Action

The HTTP/2 Continuation Flood affects a wide range of software, highlighting the vulnerability’s extensive reach. Notably, the following components have been identified as vulnerable, each assigned specific CVE identifiers indicating the need for immediate attention:

Mitigation and Forward Steps

The disclosure of these vulnerabilities has spurred a coordinated effort among developers, businesses, and cybersecurity professionals to patch affected systems and fortify their defenses against potential attacks. Upgrading to the latest versions of impacted software is crucial to mitigating the threats posed by the HTTP/2 Continuation Flood and other related vulnerabilities.

Moreover, organizations are advised to conduct regular vulnerability assessments and embrace a proactive stance towards cybersecurity. Understanding the intricacies of the HTTP/2 protocol and the nature of these vulnerabilities is essential in developing robust defense mechanisms against evolving cyber threats.

Conclusion

The discovery of vulnerabilities like Rapid Reset and the HTTP/2 Continuation Flood within the HTTP/2 protocol serves as a stark reminder of the dynamic landscape of cybersecurity threats. As technology continues to advance, so too do the opportunities for exploitation. It’s imperative that the cybersecurity community remains vigilant, collaborative, and proactive in its efforts to protect digital infrastructure from such vulnerabilities. By staying informed and prepared, we can navigate the complexities of the digital age with confidence and resilience.

How Phoenix Security Can Help Identify and schedule campaign for HTTP/2 continuation flood

attack graph phoenix security
ASPM

Phoenix Security helps organizations identify and trace which systems have vulnerabilities, understanding the relation between code and the cloud. One of the significant challenges in securing applications is knowing where and where HTTP/2 library is used. ASPM tools can scan the application portfolio to identify instances of vulnerable Linux and which version is exploitable, mapping out where it is deployed across the organization. This information is crucial for targeted security measures and efficient patch management. Phoenix Security’s robust Application Security Posture Management (ASPM) system is adept at not just managing, but preempting the exploitation of vulnerabilities through its automated identification system. This system prioritises critical vulnerabilities, ensuring that teams can first address the most pressing threats and then optimise resource allocation and remediation efforts.

CVE-2024-27316 and campaign Phoenix allow to address CVE-2024-27316 in bulk with others, following an example of the most recent liblzma campaign CVE-2024-3094

CVE-2024-3094,  jira , ASPM

The Role of Application Security Posture Management (ASPM):

phoenix security CVE-2024-3094, Linux Security, xz-utils, liblzma,

ASPM plays a vital role in managing and securing applications like those built with HTTP/2. It involves continuous assessment, monitoring, and improvement of the security posture of applications. ASPM tools can:

  1. Identify and Track Vulnerable Versions/ Components: Locate where HTTP/2 is implemented within the software package.
  2. Vulnerability Management: Detect known vulnerabilities in HTTP/2 and prioritize them for remediation.
  3. Configuration Monitoring: Ensure HTTP/2 configurations adhere to best security practices.
  4. Compliance: Check if the usage of HTTP/2 aligns with relevant cybersecurity regulations and standards.
  5. Raise Exceptions where specific versions are not affected
phoenix security CVE-2024-3094, Linux Security, xz-utils, liblzma,

By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.

Get in control of your Application Security posture and Vulnerability management

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

The journey of securing an organization’s application landscape varies dramatically, depending on where a company stands in its maturity. Early-stage startups with small security teams face challenges not only with vulnerabilities but also with scaling their security processes in line with their growth. On the flip side, established enterprises struggle with managing complex environments, prioritizing remediation, and dealing with vast amounts of vulnerabilities while staying ahead of sophisticated threats. For startups, the focus is clear—establish visibility and ensure core security practices are in place. Application Security Posture Management (ASPM) tools provide a straightforward, automated approach to detecting vulnerabilities and enforcing policies. These solutions help reduce risk quickly without overburdening small security teams. Mature organizations, on the other hand, are tackling a different set of problems. With the sheer number of vulnerabilities and an increasingly complicated threat landscape, enterprises need to fine-tune their approach. The goal shifts toward intelligent remediation, leveraging real-time threat intelligence and advanced risk prioritization. ASPM tools at this stage do more than just detect vulnerabilities—they provide context, enable proactive decision-making, and streamline the entire remediation process. The emergence of AI-assisted code generation has further complicated security in both environments. These tools, while speeding up development, are often responsible for introducing new vulnerabilities into applications at a faster pace than traditional methods. The challenge is clear: AI-generated code can hide flaws that are difficult to catch in the rush of innovation. Both startups and enterprises need to adjust their security posture to account for these new risks. ASPM platforms, like Phoenix Security, provide automated scanning of code before it hits production, ensuring that flaws don’t make it past the first line of defense. Meanwhile, organizations are also grappling with the backlog crisis in the National Vulnerability Database (NVD). A staggering number of CVEs remain unprocessed, leaving many businesses with limited data on which to base their patching decisions. While these delays leave companies vulnerable, Phoenix Security steps in by cross-referencing CVE data with known exploits and live threat intelligence, helping organizations stay ahead despite the lag in official vulnerability reporting. Whether just starting their security program or managing a complex infrastructure, organizations need a toolset that adapts with them. Phoenix Security enables businesses of any size to prioritize vulnerabilities based on actual risk, not just theoretical impact, helping security teams navigate the evolving threat landscape with speed and accuracy.
Francesco Cipollone
The cybersecurity world is reeling as MITRE’s funding for the CVE and NVD systems expires, disrupting the backbone of global vulnerability management. As traditional sources like the National Vulnerability Database collapse under funding cuts and submission backlogs, security teams face delays, incomplete data, and loss of automation in remediation pipelines. This isn’t just a data problem—it’s a structural crisis for application security and vulnerability correlation. In this landscape of uncertainty, Phoenix Security’s ASPM platform steps up with a code-to-cloud correlation engine that doesn’t depend on outdated data workflows. By connecting code-level insights (including tools like Semgrep) to runtime and cloud environments, Phoenix enables faster, context-aware vulnerability remediation—even as NVD and CVE pipelines deteriorate. This article dives into the implications of the CVE shutdown and how Phoenix Security is helping security and development teams transition to a resilient, correlation-first approach to cybersecurity.
Francesco Cipollone
Learn how to predict ransomware risks and vulnerability exploitation using a threat-centric approach. Explore data-driven insights, verified exploit trends, and methods for assessing the likelihood of attacks with key references to CISA KEV, EPSS, and Phoenix Security’s 4D Risk Formula.
Francesco Cipollone
Remote Code Execution flaws continue to undermine Kubernetes ingress integrity. IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974) showcases severe threat vectors in NGINX-based proxies, leading to cluster-wide exposure. ASPM, robust remediation tactics, and strong application security solutions—like Phoenix Security—mitigate these vulnerabilities before ransomware groups exploit them.
Francesco Cipollone
Remote Code Execution flaws continue to undermine Kubernetes ingress integrity. IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974) showcases severe threat vectors in NGINX-based proxies, leading to cluster-wide exposure. ASPM, robust remediation tactics, and strong application security solutions—like Phoenix Security—mitigate these vulnerabilities before ransomware groups exploit them.
Francesco Cipollone
The recent Google acquisition of Wiz for $32 billion has sent shockwaves through the cybersecurity industry, particularly in the realm of Application Security Posture Management (ASPM). This monumental deal highlights the critical importance of cloud security and the growing demand for robust ASPM solutions. While the acquisition promises potential benefits for Google Cloud users, it also raises concerns about vendor lock-in and the future of cloud-agnostic security. Explore the implications of this acquisition and discover how neutral ASPM solutions like Phoenix Security can bridge the gap in multi-cloud environments, ensuring continuous, collaborative, and comprehensive security from code to cloud.” – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities
Alfonso Eusebio
Derek

Derek Fisher

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
ShieldPRO