Shake Network Technology NewsClick the right to follow for the latest technology news!
Part01
Vulnerability Overview
Security researchers have discovered a new denial-of-service (DoS) vulnerability in the implementation of the HTTP/2 protocol, named “MadeYouReset” (CVE-2025-8671). This vulnerability was publicly disclosed on August 13, 2025, marking a significant escalation in threats related to network protocols. Attackers can exploit this vulnerability to bypass built-in concurrency limits, overwhelming servers with unlimited concurrent requests, ultimately causing the system to crash due to resource exhaustion.This vulnerability is directly built upon the Rapid Reset vulnerability discovered in 2023 (CVE-2023-44487), which exploited the stream cancellation mechanism of HTTP/2. In a Rapid Reset attack, the attacker sends a request and immediately cancels it using a client-initiated RST_STREAM frame, forcing the server to process the response without counting against the MAX_CONCURRENT_STREAMS limit (typically set to 100).
Part02
Attack Principle
Mitigation measures against Rapid Reset primarily focus on limiting the number of RST_STREAM frames sent by clients, controlling the cancellation count per connection to around 100. However, MadeYouReset cleverly circumvents this limitation by inducing the server itself to issue RST_STREAM frames to carry out the attack.The HTTP/2 protocol transmits request and response frames through streams, managing behavior with control frames such as SETTINGS, WINDOW_UPDATE, and RST_STREAM. The MAX_CONCURRENT_STREAMS parameter is designed to prevent overload by limiting the number of active streams.In a MadeYouReset attack, the attacker first sends a valid request to initiate processing on the server, then triggers protocol errors by sending invalid control frames or sequence violations. This causes the server to send RST_STREAM frames to handle the error, closing the stream at the HTTP/2 level, but backend processing continues. Researchers have identified six RFC-compliant primitives that can induce these servers to reset, applicable to any standards-compliant implementation.
Part03
Impact Scope and Mitigation Measures
This vulnerability enables low-cost, high-impact DDoS attacks. Attackers require only minimal resources (bandwidth for sending frames), while servers must expend CPU, memory, and I/O resources for these “ghost requests.” Tests show that most affected systems suffer complete DoS attacks, with some systems crashing due to insufficient memory.Affected projects include Netty (CVE-2025-55163), Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), H2O, and Swift-NIO-HTTP2. Over 100 vendors have coordinated the disclosure of related information through CERT/CC.Vendors recommend immediate patch installation: update to fixed versions and implement rate limiting on server resets. For systems that cannot be patched immediately, reducing the MAX_CONCURRENT_STREAMS value or monitoring for abnormal RST_STREAM patterns is advised.This vulnerability highlights the ongoing resource asymmetry issue in the HTTP/2 protocol—sending requests is inexpensive, while processing requests is costly. As network traffic increasingly relies on HTTP/2, it is crucial to continuously optimize the protocol to address evolving threats.

Share

Collect

Like

View