VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks

HTTP/2 allows for the transmission of header fields in both header and trailer sections, which can be split into header blocks and transmitted in multiple fragments. A vulnerability has been discovered in several HTTP/2 implementations that do not limit the number of CONTINUATION frames sent within a single stream, leading to out-of-memory (OOM) crashes. An attacker can exploit this by sending a stream of CONTINUATION frames without setting the END_HEADERS flag, causing the server to process and decode the frames, resulting in an OOM crash. This vulnerability affects various implementations, including Node.js, Envoy, Tempesta FW, amphp/http, Go net/http and net/http2 packages, Apache Httpd, Apache Traffic Server, and Envoy's HTTP/2 codec. Exploiting this vulnerability can lead to denial of service (DoS) attacks against servers using vulnerable implementations. It is crucial to note that analyzing incoming malicious traffic exploiting this vulnerability may be challenging as the HTTP request is not properly completed, requiring raw HTTP traffic analysis to identify an attack.