Bartek Nowotarskis

**Name of the Vulnerable Software and Affected Versions** nghttp2 versions prior to 1.61.0 **Description** The nghttp2 library keeps reading an unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync, causing excessive CPU usage to decode the HPACK stream. This issue can be exploited by a remote attacker to cause a denial of service. **Recommendations** For nghttp2 versions prior to 1.61.0, update to version 1.61.0 or later to mitigate the vulnerability by limiting the number of CONTINUATION frames accepted per stream. As a temporary workaround, consider restricting the use of HTTP/2 CONTINUATION frames until a patch is available.