
Part01
Vulnerability Overview
Security researchers have discovered a new type of Denial of Service (DoS) vulnerability in the implementation of the HTTP/2 protocol, named “MadeYouReset” (CVE-2025-8671). This vulnerability was publicly disclosed on August 13, 2025, marking a significant escalation in threats related to network protocols. Attackers can exploit this vulnerability to bypass built-in concurrency limits, overwhelming servers with unlimited concurrent requests, ultimately leading to system crashes due to resource exhaustion.This vulnerability is directly built upon the Rapid Reset vulnerability discovered in 2023 (CVE-2023-44487), which exploited the stream cancellation mechanism of HTTP/2. In a Rapid Reset attack, the attacker sends a request and immediately cancels it using a client-initiated RST_STREAM frame, forcing the server to process the response without counting against the MAX_CONCURRENT_STREAMS limit (typically set to 100).
Part02
Attack Mechanism
Mitigation measures against Rapid Reset primarily focus on limiting the number of RST_STREAM frames sent by clients, controlling the cancellation count per connection to around 100. However, MadeYouReset cleverly circumvents this limitation by inducing the server itself to issue RST_STREAM frames to execute the attack.The HTTP/2 protocol transmits request and response frames through streams, managing behavior with control frames such as SETTINGS, WINDOW_UPDATE, and RST_STREAM. The MAX_CONCURRENT_STREAMS parameter is designed to prevent overload by limiting the number of active streams.In a MadeYouReset attack, the attacker first sends a valid request for the server to begin processing, then triggers protocol errors using invalid control frames or sequence violations. This causes the server to send RST_STREAM frames to handle the errors, closing the stream at the HTTP/2 level, but backend processing continues. Researchers have identified six RFC-compliant primitives that can induce these server resets, applicable to any standards-compliant implementation.
Part03
Impact Scope and Mitigation Measures
This vulnerability enables low-cost, high-impact DDoS attacks. Attackers require only minimal resources (bandwidth to send frames), while servers must expend CPU, memory, and I/O resources for these “ghost requests.” Testing shows that most affected systems suffer complete DoS attacks, with some systems crashing due to insufficient memory.Affected projects include Netty (CVE-2025-55163), Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), H2O, and Swift-NIO-HTTP2, among others. Over 100 vendors have coordinated disclosures through CERT/CC.Vendors recommend immediate patch installation: update to fixed versions and implement rate limiting on server resets. For systems that cannot be patched immediately, reducing the MAX_CONCURRENT_STREAMS value or monitoring for abnormal RST_STREAM patterns is advised.This vulnerability highlights the ongoing resource asymmetry issue in the HTTP/2 protocol—sending requests is inexpensive, while processing requests is costly. As network traffic increasingly relies on HTTP/2, it is crucial to continuously optimize the protocol to address evolving threats.
References:
New HTTP/2 MadeYouReset Vulnerability Enables Large-Scale DDoS Attacks
https://cybersecuritynews.com/http-2-madeyoureset-vulnerability/
Source: FreeBuf
Disclaimer: Our company respects the copyright of original authors. Except for our original content and cases where authors cannot be confirmed, we will credit the authors and sources at the end of the article. The copyright of the article belongs to the original author. If there are any copyright issues regarding reprints, please contact our public account for deletion. Thank you very much.