Security researchers have identified a new denial-of-service (DoS) vulnerability in HTTP/2 implementations, referred to as MadeYouReset (CVE-2025-8671). This discovery represents a notable escalation in the threats associated with web protocols.
Publicly disclosed on August 13, 2025, this flaw allows attackers to bypass built-in concurrency limits, overwhelming servers with unbounded concurrent requests and potentially crashing systems through resource exhaustion.
MadeYouReset builds directly on the 2023 Rapid Reset vulnerability (CVE-2023-44487), which exploited HTTP/2’s stream cancellation mechanism.
In Rapid Reset, attackers sent requests and immediately canceled them using client-initiated RST_STREAM frames, forcing servers to process responses without counting toward the MAX_CONCURRENT_STREAMS limit—typically set at 100.
This created a mismatch: streams appeared closed in the HTTP/2 layer, but backend processing continued, enabling massive DDoS attacks that peaked at over 398 million requests per second.
Mitigations for Rapid Reset focused on limiting client-sent RST_STREAM frames, effectively capping cancellations at around 100 per connection. However, MadeYouReset cleverly sidesteps this by tricking the server into issuing RST_STREAM frames instead.
HTTP/2 MadeYouReset Vulnerability
HTTP/2 uses frames transmitted over streams for requests and responses, with control frames like SETTINGS, WINDOW_UPDATE, and RST_STREAM managing behavior. The protocol’s MAX_CONCURRENT_STREAMS parameter aims to prevent overload by capping active streams.
In MadeYouReset, attackers send valid requests that the server begins processing, then trigger protocol errors via invalid control frames or sequencing violations.
This prompts the server to send RST_STREAM for errors, closing the stream in the HTTP/2 view while backend computation persists. Researchers identified six RFC-compliant primitives for inducing these server resets, applicable to any standards-adhering implementation.
Unlike malformed requests that trigger immediate rejection (e.g., 4xx errors with no backend work), these primitives ensure the server starts heavy processing before the reset. Result: attackers flood servers with requests exceeding concurrency limits, all without sending RST_STREAM themselves, evading common safeguards.
The vulnerability enables low-cost, high-impact DDoS attacks. Attackers need minimal resources—just enough bandwidth to send frames—while servers expend CPU, memory, and I/O on phantom requests. Tests show most affected systems suffer full DoS, with some crashing from out-of-memory conditions.
Impact varies by server capacity and targeted resources. Even lightweight stream overhead (parsing, state management, HPACK compression) accumulates at scale, degrading performance. Combined with botnets, this could rival Rapid Reset’s record-breaking assaults.
Affected projects include Netty (CVE-2025-55163), Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), H2O, and Swift-NIO-HTTP2. Over 100 vendors were coordinated for disclosure via CERT/CC.
Vendors recommend immediate patches: update to fixed versions and implement rate-limiting on server resets. For unpatched systems, reduce MAX_CONCURRENT_STREAMS or monitor anomalous RST_STREAM patterns.
This flaw highlights persistent asymmetries in HTTP/2, where request sending is cheap but processing is expensive. As web traffic increasingly relies on HTTP/2, ongoing protocol refinements are essential to counter evolving threats.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
