HTTP/2 Implementations Hit By “MadeYouReset” Vulnerabilities Enabling DoS Exploits

In a significant escalation of threats to web infrastructure, a new vulnerability dubbed “MadeYouReset” has exposed numerous HTTP/2 implementations to denial-of-service (DoS) attacks, potentially enabling large-scale distributed DoS (DDoS) campaigns.

Tracked under CVE-2025-8671 with a CVSS score of 7.5, this flaw exploits discrepancies in how servers handle stream resets, allowing attackers to overwhelm systems without triggering concurrency limits.

First disclosed in August 2025 by researchers from Tel Aviv University, the issue echoes the 2023 “Rapid Reset” attack (CVE-2023-44487) but shifts the burden to server-initiated resets, bypassing many existing defenses.

How MadeYouReset Works

HTTP/2’s stream cancellation feature allows both clients and servers to abruptly close streams, a mechanism intended for efficiency but now weaponized.

In vulnerable setups, when a server resets a stream often provoked by malformed frames like invalid WINDOW_UPDATE or PRIORITY packets the protocol marks it as closed, freeing up the concurrent stream counter (governed by SETTINGS_MAX_CONCURRENT_STREAMS).

However, the server’s backend continues processing the request, creating an unbounded flood of hidden workloads on a single connection.

Attackers craft seemingly innocuous frames to trigger these resets repeatedly, such as zero-increment window updates or data on half-closed streams, exhausting CPU or memory resources.

This mismatch stems from implementations equating resets with full closures, a subtlety overlooked in many real-world deployments.

Impact On Vendors and Systems

The vulnerability affects a wide array of HTTP/2 servers and libraries, with over 119 vendors impacted according to CERT/CC’s Vulnerability Note VU#767506.

High-profile targets include Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), Netty (CVE-2025-55163), Jetty, Varnish, Fastly, and gRPC, alongside distributions like SUSE Linux and Red Hat.

For instance, unpatched versions of the Rust h2 library before 0.4.11 in frameworks like Pingora are susceptible, though major providers like Cloudflare report immunity due to prior Rapid Reset hardening.

This table highlights key CVEs, all stemming from the core flaw, with impacts ranging from performance degradation to full outages.

No in-the-wild exploits have surfaced yet, but proof-of-concept tools exist, raising alarms for unpatched edge servers and CDNs.

Patches and Defensive Measures

Vendors have rolled out fixes swiftly, with recommendations to limit RST_STREAM rates and validate control frames rigorously.

Apache, Netty, and Jetty advise immediate updates, while services like Imperva and Akamai emphasize enhanced protocol parsing to drop anomalous traffic.

As a stopgap, disabling HTTP/2 or proxying via HTTP/1.1 can mitigate risks, though this may degrade performance.

CERT/CC urges reviewing implementations against supplemental guidance from reporters, available at galbarnahum.com/made-you-reset.

With HTTP/2 underpinning much of the modern web, prompt action is essential to thwart this evolving protocol abuse vector.