The author’s deep technical analysis delves into the vulnerabilities of the CONTINUATION Flood within HTTP/2 protocol implementations. The vulnerability poses a significant threat, causing server disruptions ranging from crashes to performance degradation. Surprisingly, the attack requests are not visible in access logs, making debugging difficult. The author explores various outcomes of the vulnerability, including CPU exhaustion and out of memory crashes across different implementations like Golang and Node.js. The CONTINUATION Flood vulnerability presents a more severe threat compared to past vulnerabilities in HTTP/2, making it crucial to address and understand for secure server functioning.
https://nowotarski.info/http2-continuation-flood-technical-details/