Impact
nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream.
See also https://www.kb.cert.org/vuls/id/421644
Patches
nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it can accept after a HEADERS frame.
Workarounds
There is no workaround for this vulnerability.
References
The following commits mitigate this vulnerability:
The first commit limits the number of CONTINUATION frames after a HEADERS frame to 8.
The second commit makes the limit configurable.
Impact
nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream.
See also https://www.kb.cert.org/vuls/id/421644
Patches
nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it can accept after a HEADERS frame.
Workarounds
There is no workaround for this vulnerability.
References
The following commits mitigate this vulnerability:
The first commit limits the number of CONTINUATION frames after a HEADERS frame to 8.
The second commit makes the limit configurable.