A widespread HTTP/2 server vulnerability where a client issues rapid HTTP/2 reset frames and thereby sidesteps the protection against unlimited resource consumption built into the protocol.
The CVSS score of this vulnerability is 7.5, based on vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The quick sequence of requests can possibly trigger of expensive requests on the server, depending on the application logic built on top of Akka HTTP/2, at a low cost for the abusing client, allowing for denial of service attacks.
Akka HTTP/2 servers running behind a proxy are likely protected by the proxy, given that it has protective measurements against this vulnerability.
Starting from Akka HTTP 10.5.3 a reset frame rate limit is present in the HTTP/2 server. The rate limit
is configurable through settings
akka.http.server.http2.max-resets-interval with a default limit of 400 resets per 10s and connection. Once a connection hits
the limit it is closed.