A critical security bypass vulnerability in AWS Application Load Balancer allows attackers to evade WAF inspection by fragmenting HTTP/2 request bodies, necessitating a configuration change.

The issue arises from an inconsistent interpretation of HTTP/2 requests when AWS WAF is active. An unauthenticated attacker can exploit this by crafting HTTP/2 requests that fragment the body across multiple frames, causing the WAF to inspect only a partial body and effectively bypassing configured security policies.

With a CVSS score of 9.8, this vulnerability represents a significant failure in the security perimeter provided by AWS WAF. Attackers can leverage this bypass to deliver malicious payloads that would otherwise be blocked, leading to potential SQL injection, cross-site scripting, or other application-level attacks that threaten data integrity and system availability.

Immediate Action: Update the target group configuration in the AWS console to enable the "Inspect after sufficient data" attribute for all ALB target groups using HTTP/2.

Proactive Monitoring: Monitor WAF logs for unexpected spikes in traffic or requests that appear to be malformed or abnormally fragmented, as these may indicate evasion attempts.

Compensating Controls: If immediate configuration changes are not possible, consider restricting HTTP/2 traffic at the load balancer level where business requirements permit.

Public Exploit Available: false

Given the critical CVSS score, all users of AWS Application Load Balancer with WAF integration must verify their target group settings immediately. Enabling "Inspect after sufficient data" is the mandatory requirement to ensure the WAF correctly processes fragmented HTTP/2 request bodies and maintains the integrity of the security perimeter.