A new vulnerability dubbed “MadeYouReset” impacts multiple HTTP/2 server implementations, enabling large-scale Denial-of-Service (DoS) attacks. It bypasses traditional limits set on concurrent HTTP/2 requests per TCP connection, enabling attackers to overwhelm target servers and even trigger out-of-memory crashes. The flaw stems from a protocol misuse involving RST_STREAM frames — an evolution of previously known Rapid Reset attacks.
Severity Level: High
Vulnerability Details
- ID: CVE-2025-8671 (with specific CVEs per vendor implementation)
- Class: Denial-of-Service (DoS)
- Affected Protocol: HTTP/2
- Related Prior CVE: CVE-2023-44487 (Rapid Reset)
- The root cause lies in the incorrect handling of RST_STREAM frames:
- When a stream is reset, it’s counted as closed per HTTP/2 spec.
- However, many server implementations continue processing the backend request.
- The SETTINGS_MAX_CONCURRENT_STREAMS parameter in HTTP/2 is bypassed since reset streams are no longer counted.
- Attackers exploit this by triggering resets via malformed frames or flow control violations, effectively creating resource leaks.
| Affected Product | CVE ID | Affected Versions | Fixed Versions or Mitigations |
| Apache Tomcat | CVE-2025-48989 | 11.0.0-M1 to 11.0.9; 10.1.0-M1 to 10.1.43; 9.0.0.M1 to 9.0.107; and Older, EOL versions may also be affected | 11.0.10 or later; 10.1.44 or later; 9.0.108 or later |
| F5 BIG-IP | CVE-2025-54500 | BIG-IP Next (all modules): 20.3.0 | To mitigate this issue for systems and configurations that can use either HTTP or HTTP/2, F5 recommends using HTTP and disabling HTTP/2. |
| BIG-IP Next SPK: 2.0.0 – 2.0.2, 1.7.0 – 1.9.2 | To mitigate this vulnerability, where possible, you can delete the F5SPKIngressHTTP2 Custom Resource. | ||
| BIG-IP Next CNF: 2.0.0 – 2.0.2, 1.1.0 – 1.4.1 | |||
| BIG-IP Next for Kubernetes: 2.0.0 | |||
| BIG-IP (all modules): 17.5.0 – 17.5.1, 17.1.0 – 17.1.2, 16.1.0 – 16.1.6, 15.1.0 – 15.1.10 | Hotfix-BIGIP-17.5.1.0.80.7-ENG.iso, Hotfix-BIGIP-17.1.2.2.0.259.12-ENG.iso, Hotfix-BIGIP-16.1.6.0.27.3-ENG.iso | ||
| Netty | CVE-2025-55163 | netty-codec-http2 (Maven): <=4.2.3.Final, <= 4.1.123.Final | 4.2.4.Final, 4.1.124.Final |
| Fastly | CVE-2025-8671 | Releases before 25.17 of Fastly’s internal fork of H2O | release 25.17 |
Exploitation
- Open valid HTTP/2 streams from a client to the server.
- Send crafted malformed control frames (e.g., invalid WINDOW_UPDATE, PRIORITY, DATA, HEADERS) to force server-initiated stream resets.
- The server sends RST_STREAM but continues backend processing.
- Since the protocol considers these streams closed, the attacker can repeat this process indefinitely.
- The result is DoS via CPU overload or memory exhaustion.
Recommendations
- Apply security updates provided by vendors (Apache, F5, Netty, etc.) addressing CVE-2025-8671 and related CVEs.
- Indicators of attack for BIG-IP systems:
For BIG-IP systems, you can inspect the HTTP/2 profile statistics. If the number of RST_STREAM frames Sent and WINDOW_UPDATE frames Received significantly exceeds the number of other frames received from clients, this may indicate that a malicious actor is conducting this type of attack.
If there is no impact on the CPU load of the BIG-IP system, you may not need to take remedial action; however, if a significant or troublesome increase in CPU load is observed, download and install the engineering hotfix for this issue.
For information about how to view the HTTP/2 profile statistics using the Configuration utility, tmsh, or SNMP, refer to K000137190: Overview of HTTP/2 Statistics.
Source:
- https://thehackernews.com/2025/08/new-http2-madeyoureset-vulnerability.html
- https://kb.cert.org/vuls/id/767506
- https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf
- https://my.f5.com/manage/s/article/K000152001
- https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
- https://www.fastlystatus.com/incident/377810
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.