Introducing Akka Cloud to Edge Continuum. Build once for the Cloud. Seamlessly deploy to the Edge. Learn More

Akka HTTP rapid reset denial of service





Description of Vulnerability

A widespread HTTP/2 server vulnerability where a client issues rapid HTTP/2 reset frames and thereby sidesteps the protection against unlimited resource consumption built into the protocol.


The CVSS score of this vulnerability is 7.5, based on vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).


The quick sequence of requests can possibly trigger of expensive requests on the server, depending on the application logic built on top of Akka HTTP/2, at a low cost for the abusing client, allowing for denial of service attacks.

Akka HTTP/2 servers running behind a proxy are likely protected by the proxy, given that it has protective measurements against this vulnerability.


Starting from Akka HTTP 10.5.3 a reset frame rate limit is present in the HTTP/2 server. The rate limit is configurable through settings akka.http.server.http2.max-resets and akka.http.server.http2.max-resets-interval with a default limit of 400 resets per 10s and connection. Once a connection hits the limit it is closed.

Affected versions

Fixed versions