Keypoints
- CONTINUATION Flood vulnerabilities exploit HTTP/2 CONTINUATION frames by omitting the END_HEADERS flag, allowing indefinite header fragmentation that many implementations fail to limit or validate.
- Attacks can cause out-of-memory (OOM) crashes or CPU exhaustion, in some cases using only one HTTP/2 TCP connection to trigger a DoS.
- CERT-CC lists multiple CVEs affecting implementations such as Node.js, Envoy (oghttp codec), Tempesta FW, amphp/http, Go net/http and net/http2, nghttp2-based implementations, Apache httpd, and Apache Traffic Server.
- Impact varies from memory leaks to unbounded memory consumption and excessive CPU usage depending on the implementation and missing mitigation logic (header size limits, timeouts, reset callbacks).
- Detection is difficult because malicious CONTINUATION frames may not appear in standard access logs unless advanced frame-level analytics are enabled.
- Vendors and projects confirming impact include Red Hat, SUSE, Arista, Apache HTTP Server Project, nghttp2, Node.js, AMPHP, and the Go project.
- Immediate mitigation requires applying vendor patches/upgrades and ensuring HTTP/2 implementations enforce header size limits, timeouts, and proper stream reset handling.
MITRE Techniques
- [T1498] Network Denial of Service – Using an endless stream of HTTP/2 CONTINUATION frames to exhaust server resources; quote: ‘…send an extremely long string of frames by simply not setting the ‘END_HEADERS’ flag, leading to server outages due to out-of-memory crashes or CPU resource exhaustion…’
- [T1499] Endpoint Denial of Service – Causing process OOMs by building an unbounded headers list from CONTINUATION frames when implementations do not limit header size; quote: ‘…implementations that allow OOM simply did not limit the size of headers list built using CONTINUATION frames.’
- [T1190] Exploit Public-Facing Application – Exploiting protocol parsing flaws in public HTTP/2 servers to crash services with crafted frames; quote: ‘…single HTTP/2 TCP connection to crash the server.’
- [T1070] Indicator Removal on Host – Avoiding visibility in standard access logs because frame-level analytics are typically not enabled, hindering detection; quote: ‘…malicious requests wouldn’t be visible in the access logs if advanced frame analytics isn’t enabled on the server…’
Indicators of Compromise
- [CVE IDs] Vulnerability identifiers referenced – CVE-2024-27983, CVE-2024-27919, and 7 more CVE IDs (e.g., CVE-2024-2758, CVE-2024-2653, CVE-2023-45288).
- [URLs] Technical writeups and advisories – researcher blog (http://nowotarski.info/http2-continuation-flood-technical-details/), CERT-CC advisory (http://kb.cert.org/vuls/id/421644), and source article (https://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-crash-web-servers-with-a-single-connection/).
- [Affected Implementations] Libraries/servers noted as vulnerable – examples include Node.js HTTP/2 server, Envoy oghttp codec, and nghttp2-based implementations (and others listed in the CVEs).
HTTP/2 transmits headers in binary frames that can be fragmented across HEADERS and CONTINUATION frames; many implementations historically relied on limits or stream-reset callbacks that some vendors did not enforce. The CONTINUATION Flood exploits this by sending a continuous sequence of CONTINUATION frames without the END_HEADERS flag, allowing the recipient to accumulate an unbounded headers list or repeatedly allocate resources while parsing, which can trigger out-of-memory or sustained CPU spikes. In several implementations the absence of header size limits, header timeouts, or proper handling of stream resets enables a single TCP connection to overwhelm the server process.
Practical effects vary by implementation: some exhibit memory leaks triggered by race conditions, others allow unlimited memory consumption when header map limits are exceeded, and some suffer excessive CPU consumption when processing arbitrarily large header sets. CERT-CC and the researcher mapped multiple CVEs to affected projects (Node.js, Envoy, Tempesta FW, amphp/http, Go net/http{2}, nghttp2, Apache httpd, Apache Traffic Server). The root mitigation patterns are the same across implementations—enforce strict header size limits, implement header timeouts, ensure stream reset callbacks free buffers promptly, and patch the vulnerable code paths as vendors publish fixes.
Because frame-level activity is often not present in standard access logs, detection requires enabling advanced HTTP/2 frame analytics or using protocol-aware traffic inspection. Immediate actions are to apply vendor patches for the listed CVEs, harden HTTP/2 configuration to enforce limits and timeouts, and monitor for abnormal single-connection resource spikes as indicators of attempted CONTINUATION floods.