At Kong, the security and reliability of our products have always been paramount. In light of the recent discovery of the Novel HTTP/2 ‘Rapid Reset’ DDoS attack (CVE-2023-44487), we have taken steps to proactively address potential issues. Today we’re providing guidance on how our users can best safeguard their systems.
This vulnerability exploits the 'concurrent streaming' capability of HTTP/2. In this attack, a client can flood the server with a very high number of HTTP/2 stream requests that are immediately reset. This causes the server to spend a lot of resources cleaning up these canceled streams. These types of requests are legal in HTTP/2 and a malicious client can defeat existing flood prevention checks with minimal work.
The servers end up spending too much time in cleaning up the canceled streams, thus preventing them from servicing valid traffic, causing a Denial of Service.
We urge customers with HTTP/2-enabled servers to liaise with their web server providers to ensure timely application of essential patches.
All supported versions of Kong Gateway, Kong Mesh, and Kuma have been patched and released. The following versions contain a fix for the HTTP/2 rapid reset attack:
For users using the Docker official image for Kong OSS, we have submitted an updated version and are waiting for the fix to be merged. To update immediately, please switch to the kong/kong image. For customers using Kong Enterprise images, the updates are available immediately.
If you cannot immediately update to the latest patches containing our fixes, we recommend the following mitigation steps:
You can find more information about the details of implementing these mitigation measures in the Kong knowledge base.
At Kong, we appreciate the trust you place in us and in our products. We are committed to ensuring the security of our community and will continue to monitor and address vulnerabilities proactively. Lastly, we highly recommend that all of our users evaluate their systems, apply the necessary patches, and follow the mitigation steps provided.
As of September 2025, Kong Gateway Enterprise 3.8 will enter its End Of Life (EOL) phase and will no longer be fully supported by Kong. Following this, Kong Gateway Enterprise 3.8 will enter a 12-month sunset support period, focused on helping cus
We're very excited to announce Kong Mesh 2.12 to the world! Kong Mesh 2.12 delivers two very important features: SPIFFE / SPIRE support, which provides enterprise-class workload identity and trust models for your mesh, as well as a consistent Kuma R
It’s been almost a year since we released our Konnect Terraform provider . In that time we’ve seen over 300,000 installs, have 1.7 times as many resources available, and have expanded the provider to include data sources to enable federated managem
We're happy to announce the 3.5 release of Kong Ingress Controller (KIC). This release includes the graduation of combined services to General Availability, support for connection draining, as well as the start of deprecating support for some Ingre
Update Includes Data Orchestration, CyberArk Support, Solace Integration, and Kafka Schema Validation We’re excited to bring you Kong Gateway Enterprise 3.11 with compelling new features to make your APIs and event streams even more powerful, includ
When we released the beta version of Service Catalog last September, it was in service of a greater API discovery vision we had for Kong Konnect as an API platform. In March of this year, we moved closer to fulfilling that vision when we announced
The new Kong Konnect Dev Portal is now generally available for all users! In March, we announced the public beta version of our reimagined Dev Portal. We set out to fully address the needs of the modern API consumer as well as the needs of the moder