{"id":"RUSTSEC-2024-0332","summary":"Degradation of service in h2 servers with CONTINUATION Flood","details":"An attacker can send a flood of CONTINUATION frames, causing `h2` to process them indefinitely.\nThis results in an increase in CPU usage.\n\nTokio task budget helps prevent this from a complete denial-of-service, as the server can still\nrespond to legitimate requests, albeit with increased latency.\n\nMore details at \"https://seanmonstar.com/blog/hyper-http2-continuation-flood/.\n\nPatches available for 0.4.x and 0.3.x versions.","aliases":["GHSA-q6cp-qfwq-4gcv"],"modified":"2024-04-11T16:41:43.668809Z","published":"2024-04-03T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/h2"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0332.html"},{"type":"WEB","url":"https://seanmonstar.com/blog/hyper-http2-continuation-flood/"}],"affected":[{"package":{"name":"h2","ecosystem":"crates.io","purl":"pkg:cargo/h2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.3.26"},{"introduced":"0.4.0-0"},{"fixed":"0.4.4"}]}],"ecosystem_specific":{"affects":{"arch":[],"functions":[],"os":[]},"affected_functions":null},"database_specific":{"categories":["denial-of-service"],"cvss":null,"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0332.json"}}],"schema_version":"1.7.3"}