In a significant escalation of threats to web infrastructure, a new vulnerability dubbed “MadeYouReset” has exposed numerous HTTP/2 implementations to denial-of-service (DoS) attacks, potentially enabling large-scale distributed DoS (DDoS) campaigns.
Tracked under CVE-2025-8671 with a CVSS score of 7.5, this flaw exploits discrepancies in how servers handle stream resets, allowing attackers to overwhelm systems without triggering concurrency limits.
First disclosed in August 2025 by researchers from Tel Aviv University, the issue echoes the 2023 “Rapid Reset” attack (CVE-2023-44487) but shifts the burden to server-initiated resets, bypassing many existing defenses.
HTTP/2’s stream cancellation feature allows both clients and servers to abruptly close streams, a mechanism intended for efficiency but now weaponized.
In vulnerable setups, when a server resets a stream often provoked by malformed frames like invalid WINDOW_UPDATE or PRIORITY packets the protocol marks it as closed, freeing up the concurrent stream counter (governed by SETTINGS_MAX_CONCURRENT_STREAMS).
However, the server’s backend continues processing the request, creating an unbounded flood of hidden workloads on a single connection.
Attackers craft seemingly innocuous frames to trigger these resets repeatedly, such as zero-increment window updates or data on half-closed streams, exhausting CPU or memory resources.
This mismatch stems from implementations equating resets with full closures, a subtlety overlooked in many real-world deployments.
The vulnerability affects a wide array of HTTP/2 servers and libraries, with over 119 vendors impacted according to CERT/CC’s Vulnerability Note VU#767506.
High-profile targets include Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), Netty (CVE-2025-55163), Jetty, Varnish, Fastly, and gRPC, alongside distributions like SUSE Linux and Red Hat.
For instance, unpatched versions of the Rust h2 library before 0.4.11 in frameworks like Pingora are susceptible, though major providers like Cloudflare report immunity due to prior Rapid Reset hardening.
| CVE ID | Affected Product | CVSS Score | Description |
|---|---|---|---|
| CVE-2025-8671 | Generic HTTP/2 Impl. | 7.5 | Stream reset mismatch leading to DoS |
| CVE-2025-48989 | Apache Tomcat | 7.5 | Backend processing overload |
| CVE-2025-54500 | F5 BIG-IP | 7.5 | Malformed frame-induced resets |
| CVE-2025-55163 | Netty | 7.5 | Unbounded concurrent requests |
This table highlights key CVEs, all stemming from the core flaw, with impacts ranging from performance degradation to full outages.
No in-the-wild exploits have surfaced yet, but proof-of-concept tools exist, raising alarms for unpatched edge servers and CDNs.
Vendors have rolled out fixes swiftly, with recommendations to limit RST_STREAM rates and validate control frames rigorously.
Apache, Netty, and Jetty advise immediate updates, while services like Imperva and Akamai emphasize enhanced protocol parsing to drop anomalous traffic.
As a stopgap, disabling HTTP/2 or proxying via HTTP/1.1 can mitigate risks, though this may degrade performance.
CERT/CC urges reviewing implementations against supplemental guidance from reporters, available at galbarnahum.com/made-you-reset.
With HTTP/2 underpinning much of the modern web, prompt action is essential to thwart this evolving protocol abuse vector.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…