Uncontrolled Resource Consumption in org.eclipse.jetty.http2:http2-common

Summary

In Eclipse Jetty, an HTTP/2 client may trigger the server to send "RST_STREAM" frames, for example, by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a stream and then send "WINDOW_UPDATE" frames with a window size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a "RST_STREAM" frame. The client can then open another stream and send another invalid "WINDOW_UPDATE" frame, causing the server to again consume unnecessary resources. This behavior does not exceed the maximum number of concurrent streams, yet the client is able to create an enormous number of streams in a short period of time. The attack can also be carried out under other conditions, for example, by sending a "DATA" frame for a closed stream, that cause the server to send a "RST_STREAM" frame. This issue affects org.eclipse.jetty.http2:http2-common versions 9.3.0.M0 through 9.4.57.v20241219, 10.0.0-alpha0 through 10.0.25, and 11.0.0-alpha0 through 11.0.25, and org.eclipse.jetty.http2:jetty-http2-common versions 12.0.0.alpha0 through 12.0.24, and 12.1.0.alpha0 through 12.1.0.beta2.