A note on how Varnish handles an HTTP/2 CONTINUATION flood Announcement

Published April 4, 2024.

Today news surfaced about a new HTTP/2 vulnerability affecting a large number of HTTP/2 implementations.

References here:

This vulnerability has been under embargo until today. Varnish Sofware was notified and learned about this on 2024-03-26. We have done a thorough study of the vulnerability, and have come to the conclusion that Varnish is not affected.

Memory consumption in Varnish in processing HPACK is limited to a fixed buffer size, regardless of the size of the incoming header set. Thus Varnish is not at any risk of runaway memory consumption due to an arbitrarily large incoming header set.

After this buffer is exceeded, Varnish will keep processing CONTINUATION frames and perform dynamic table updates correspondingly. Thus keeping the HPACK state consistent for future streams on the same connection.

It can also be noted that the Varnish Traffic Router is also not affected, as it does not implement HTTP/2.

Please get in touch via support if you have any questions.