CVE-2023-54365: Traefik - Denial of Service via HTTP/2 Request Handling
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.
Security readout for executives and security teams
Plain-English summary
This is a service-availability risk in Traefik. A remote attacker can abuse HTTP/2 request handling by rapidly opening and canceling streams, consuming resources and making services behind Traefik unavailable. The source bundle identifies fixed Traefik versions as 2.10.5 and 3.0.0-beta4.
Executive priority
Prioritize remediation for public-facing Traefik because the impact is service outage, not data theft. The attack is remote and unauthenticated, so business risk depends mainly on where vulnerable Traefik instances sit in the traffic path and whether HTTP/2 is exposed.
Technical view
Traefik versions before 2.10.5 and 3.0.0-beta4 inherit HTTP/2 denial-of-service behavior from Go's HTTP/2 implementation, associated with CVE-2023-44487 and CVE-2023-39325. The issue maps to uncontrolled resource consumption and allocation limits, with high availability impact and network, unauthenticated attack conditions.
Likely exposure
Most relevant exposure is internet-facing Traefik deployments that accept HTTP/2 traffic and run versions older than 2.10.5, or 3.0.0 beta builds older than beta4. Internal Traefik deployments may still matter if reachable by untrusted tenants or compromised hosts.
Exploitation context
The bundle does not show CISA KEV listing or confirmed active exploitation for this Traefik-specific CVE. It describes the Rapid Reset technique and remote unauthenticated denial-of-service conditions. Treat exploitability as credible, but do not claim observed exploitation from these sources alone.
Researcher notes
Evidence is strongest for version exposure, attack class, and availability impact. The source bundle links the issue to Go HTTP/2 Rapid Reset behavior and CWE-400/CWE-770. It does not provide Traefik-specific proof of active exploitation, detailed package status, or alternative mitigations beyond fixed versions and vendor guidance.
Mitigation direction
Upgrade Traefik 2.x deployments to 2.10.5 or later.
Upgrade Traefik 3.0.0 beta deployments to beta4 or later.
Review the Traefik advisory for deployment-specific guidance.
Prioritize public HTTP/2 entry points before internal-only instances.
If upgrade is delayed, check vendor guidance for temporary exposure reduction.
Validation and detection
Inventory Traefik versions across ingress, proxy, and edge deployments.
Identify which Traefik entry points accept HTTP/2 traffic.
Confirm patched versions are deployed in production and staging.
Review monitoring for resource exhaustion and unexplained availability drops.
Track vendor and distribution advisories for packaging status.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-400: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-400 · source CWE mapping
Uncontrolled Resource Consumption
Uncontrolled Resource Consumption represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.