
Recently, a new type of cyber vulnerability known as “Made You Reset” has garnered widespread attention in the security field. This vulnerability is related to the HTTP/2 protocol, which is widely used on the modern internet, and can be exploited by attackers to launch large-scale Denial of Service (DoS) attacks, potentially exhausting server resources and causing crashes. This discovery was made by researchers from Tel Aviv University in Israel in collaboration with the cybersecurity company Imperva, and a warning was issued by the US CERT/CC in mid-August. Due to its similarities in attack principles with the “Rapid Reset” vulnerability that had significant impacts in 2023, major internet companies and the security community are on high alert.
1. What is the ‘Made You Reset’ Vulnerability?
“Made You Reset” literally translates to “let you reset,” vividly revealing its core attack mechanism: it does not attack the server through brute force but cleverly exploits a design flaw in the HTTP/2 protocol to induce the server to “reset” its communication process, thereby exhausting its own resources.
We can understand this with an example of a fast-food restaurant: Imagine a fast-food restaurant that allows the kitchen to handle only 10 orders at a time to ensure efficiency. Normally, excess orders would need to wait in line. However, a malicious customer discovers a flaw in the ordering system: he continuously places orders and then immediately uses a special method to make the system mistakenly believe there is a problem with the order, thus actively canceling it. The key is that, although the system shows the order has been canceled, the kitchen has already started preparing the ingredients and will continue to complete this “invalid” order. Meanwhile, the ordering system, seeing the order has been canceled, thinks the kitchen has become available and allows more new orders to come in. As a result, the kitchen is actually processing far more than the 10-order limit, ultimately exhausting the chefs and causing the entire kitchen to collapse.
In this analogy, the “server” is the chef, the “network request” is the order, and the “system actively canceling the order” corresponds to the Stream Reset mechanism in the HTTP/2 protocol. HTTP/2 allows clients or servers to cancel unnecessary request streams to improve efficiency. However, the “Made You Reset” vulnerability exploits the logical differences in how some servers handle abnormal requests: the server marks the request as “reset” at the protocol level, believing that the concurrency slot has been released, but its backend application process continues to futilely process these requests that should have been discarded.
In short, attackers exploit this vulnerability to bypass the core protection mechanism of the server that limits the “maximum number of concurrent requests” to prevent overload, forcing the server into an overloaded state of “inconsistent behavior”.
2. How Do Attackers Exploit This Vulnerability?
The attack process is quite stealthy, as it exploits the internal logic of the protocol rather than sending traditionally malicious data.
-
Establishing a connection and sending abnormal requests: The attacker first establishes a standard HTTP/2 connection with the target server. They then send a series of carefully crafted requests. These requests superficially comply with protocol specifications but contain minor flaws that can trigger internal error determinations in the server, such as sending a control frame of size 0 or out of range.
-
Inducing the server to reset itself: When the server’s HTTP/2 implementation receives these signals that it cannot process correctly but are not considered serious violations, it will determine it as a protocol error and proactively initiate a “stream reset” operation to close the current communication stream. For the server, it believes this request has been processed (canceled) and can release a concurrency processing slot.
-
Continuous occupation of backend resources: This is the crux of the attack. Although the protocol-level counter decreases, indicating the server is “idle,” many server backend application logics do not immediately stop processing the actual tasks of this “canceled” request. This creates a fatal state of discrepancy between the frontend “slots are free” and the backend “resources are still occupied”.
-
Repetitive cycles, exhausting resources: Attackers exploit this state inconsistency to repeatedly initiate the “request -> trigger server reset” cycle at a very high frequency on a single HTTP/2 connection. Since the server continuously “deceives itself” into believing it can handle new requests, a single attacker can easily send tens of thousands of requests, far exceeding normal concurrency limits. These requests pile up in the server’s backend, ultimately exhausting core resources such as CPU and memory.
-
Service paralysis: When the server load reaches a critical point, it becomes extremely slow to respond or even crashes directly. Ultimately, the attacker achieves a highly efficient denial of service attack with minimal resources, causing normal users to be unable to access the service. Since the entire process mimics normal protocol behavior, traditional firewalls and traffic limiting strategies may struggle to effectively identify and intercept it.
3. How Widespread is the Impact?
The “Made You Reset” vulnerability affects various mainstream HTTP/2 server software and framework implementations. According to disclosed information, affected systems include:
- Apache Tomcat: As a widely used Java web server, the affected version of this vulnerability is numbered CVE-2025-48989.
- Java Networking Frameworks (e.g., Netty, Jetty): Many high-performance network applications rely on these underlying frameworks. For example, Netty has assigned the vulnerability number CVE-2025-55163 and released a patch.
- Commercial Servers and Devices: Some enterprise-level products have also been affected, such as the IBM WebSphere application server and F5’s BIG-IP load balancer (related vulnerability number CVE-2025-54500).
Overall, any website or service using a vulnerable HTTP/2 protocol stack is at risk. However, it is worth noting that this vulnerability is not without defenses. Many mainstream web services have strengthened their restrictions on abnormal HTTP/2 stream behaviors after experiencing the “Rapid Reset” attack in 2023. These previously deployed mitigation measures can effectively defend against the “Made You Reset” attack, thus limiting the actual impact of this vulnerability.
4. Responses from Major Vendors
In the face of new threats, relevant software vendors and large network service providers have acted swiftly to form a solid defense.
- Timely release of security patches: At the same time as the vulnerability was disclosed, most affected open-source communities and commercial companies have released patches. For example, Apache urgently launched security versions such as Tomcat 9.0.108, 10.1.44, and 11.0.10; the Netty project also quickly released a fix. Urging users to upgrade as soon as possible is the first and most important barrier to blocking attacks.
- Proactive defenses from large cloud service providers: Global CDN and cloud security service providers, represented by Cloudflare, were informed of the details months before the vulnerability was disclosed due to a responsible vulnerability disclosure mechanism. More importantly, the defense strategies they deployed in response to the “Rapid Reset” have already covered such attacks. Therefore, Cloudflare and its protected customers automatically gained immunity to “Made You Reset” without any additional action. Similarly, other large cloud platforms (such as AWS, Google Cloud) also possess strong resistance capabilities due to previous security hardening.
- Temporary mitigation strategies: For users who cannot upgrade immediately, security experts have suggested some temporary measures, such as enhancing monitoring of abnormal reset behaviors from individual clients or, in extreme cases, temporarily disabling HTTP/2 and downgrading to HTTP/1.1 to avoid risks.
Thanks to the industry’s rapid response and accumulated defensive experience, the “Made You Reset” vulnerability has not evolved into a large-scale cyber disaster.
5. Should Ordinary Users Be Concerned?
For the vast majority of ordinary internet users, there is no need to panic excessively about this vulnerability. This is because it primarily targets servers rather than personal computers or mobile devices.
- No threat to personal device security: This vulnerability will not cause your device to be infected with viruses or controlled by hackers. The direct consequence of the attack is the interruption of the websites or app services you wish to access. You may encounter issues such as websites not loading or apps loading slowly, but this is usually a server-side problem rather than a fault with your network or device.
- Protection recommendations: As an ordinary user, the most effective “protection” is to choose reputable and technically strong network services. Large service providers can typically fix vulnerabilities faster and have robust DDoS attack mitigation capabilities. Additionally, keeping your browser, operating system, and commonly used applications updated to the latest versions is also a good general security practice.
- Responsibility of website operators: If you are an operator of a website or service, you are the primary responsible party for this vulnerability incident. Please ensure to check the versions of the server software you are using (such as Tomcat, Netty, etc.) and upgrade to the official security versions as soon as possible.
Conclusion: Lessons from the Incident
The “Made You Reset” vulnerability incident once again confirms a core security principle:Complexity is the enemy of security. While the HTTP/2 protocol aims for high performance, its complex mechanisms also provide fertile ground for vulnerabilities. A design intended to enhance efficiency can, under certain conditions, be turned into a weapon for attack.
This incident also highlights the successful model of modern network security defense:
- Responsible vulnerability disclosure: Collaboration between security researchers and vendors ensures that patches are in place before vulnerabilities are made public, greatly shortening the risk window.
- Experience sharing and iteration: Lessons learned from the “Rapid Reset” incident have prompted service providers to build more resilient defense systems, which successfully resisted this “variant” attack.
- Continuous vigilance and rapid response: Security is an endless game of offense and defense. Whether protocol designers, software developers, or service operators, all must remain vigilant and establish mechanisms that can quickly respond to unknown threats.
For the entire internet ecosystem, “Made You Reset” serves as a pressure test that reminds us that while enjoying the conveniences brought by technological advancements, we must constantly examine their potential security risks and be prepared for them.