Impact of CVE-2023-44487 and CVE-2025-8671 on Edge SWG (ProxySG, ASG) and Cloud SWG (WSS)
search cancel

Impact of CVE-2023-44487 and CVE-2025-8671 on Edge SWG (ProxySG, ASG) and Cloud SWG (WSS)

book

Article ID: 274893

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy Advanced Secure Gateway Software - ASG Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

HTTP/2 (H2) vulnerabilities CVE-2023-44487, “rapid reset” and CVE-2025-8671 "MadeYouReset" attacks permit a denial of service scenario where a high volume of coordinated HTTP/2 request cancellations can quickly reset many HTTP/2 streams, exhausting server resources and potentially causing outages.

Resolution

Edge SWG (ProxySG or ASG)

Versions Applicability
Version prior to 7.x Not vulnerable. HTTP/2 is not natively supported
7.1x through 7.3.14.x Vulnerable excluding the specific patches listed below
7.3.13.5 and later 7.3.13.x Not vulnerable
7.3.14.4 and later 7.3.14.x Not vulnerable
7.3.15.x and later 7.3.x Not vulnerable
7.4.1.1 Vulnerable
7.4.1.2 Not vulnerable
7.4.2.x and later Not vulnerable


Cloud SWG

Cloud SWG (formerly WSS) does provide the same CPL to disable HTTP/2 for UPE managed tenants and also limits the concurrent streams.

Additional Information

For vulnerable versions, the attack can be prevented by disabling HTTP/2 via policy using CPL:

<proxy>
http2.client.accept(no) http2.server.request(no)

The fix limits the number of concurrent streams over HTTP/2 client connections (even if the streams are reset), mitigating the attacks.

Powered by Wolken Software