New HTTP/2 ‘MadeYouReset’ Vulnerability Can Launch Large-Scale DoS Attacks

New HTTP/2 'MadeYouReset' Vulnerability Can Launch Large-Scale DoS Attacks

Click the blue text above to follow us

New HTTP/2 'MadeYouReset' Vulnerability Can Launch Large-Scale DoS AttacksNew HTTP/2 'MadeYouReset' Vulnerability Can Launch Large-Scale DoS AttacksNew HTTP/2 'MadeYouReset' Vulnerability Can Launch Large-Scale DoS Attacks

Multiple implementations of the HTTP/2 protocol have been found to contain a new attack technique vulnerability called “MadeYouReset,” which could be used to carry out powerful denial-of-service (DoS) attacks.

Researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Har’el stated: “MadeYouReset can bypass the limit of 100 concurrent HTTP/2 requests from each TCP connection set by the server. This limit is intended to mitigate DoS attacks by constraining the number of simultaneous requests a client can send.”

“With MadeYouReset, attackers can send thousands of requests, which not only causes denial of service for legitimate users but may also escalate to memory exhaustion crashes in some vendor implementations.”

The vulnerability has been assigned the common CVE identifier CVE-2025-8671, but this issue affects multiple products, including Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), and Netty (CVE-2025-55163).

Following the “Fast Reset” (CVE-2023-44487) and “HTTP/2 CONTINUATION Flood,” MadeYouReset is another vulnerability that has emerged in the HTTP/2 protocol, which could be used to launch large-scale DoS attacks.

Just like the other two attacks that exploit the RST_STREAM frame and CONTINUATION frame in the HTTP/2 protocol, MadeYouReset builds on the “Fast Reset” and its mitigations, where the mitigation of “Fast Reset” limits the number of streams that a client can cancel using RST_STREAM.

Specifically, it exploits the fact that the RST_STREAM frame can be used for both client-initiated cancellations and to indicate stream errors. By sending carefully crafted frames that trigger protocol violations in unexpected ways, it causes the server to reset the stream by issuing RST_STREAM, thus achieving the attack’s purpose.

New HTTP/2 'MadeYouReset' Vulnerability Can Launch Large-Scale DoS Attacks

Bar Nahum explained: “For MadeYouReset to work, the stream must start with a valid request being processed by the server, then trigger a stream error, causing the server to issue RST_STREAM while continuing to compute the response in the backend.”

“By crafting certain invalid control frames or violating protocol ordering at the right moment, we can make the server send RST_STREAM for streams that have already carried valid requests.”

Six basic scenarios that lead to the server sending RST_STREAM frames include:

  • WINDOW_UPDATE frame with an increment of 0

  • PRIORITY frame with a length not equal to 5 (the only valid length)

  • PRIORITY frame that makes the stream dependent on itself

  • WINDOW_UPDATE frame with an increment that causes the window to exceed 2^31−1 (the maximum allowed window size)

  • HEADERS frame sent after the client has closed the stream (via the END_STREAM flag)

  • DATA frame sent after the client has closed the stream (via the END_STREAM flag)

It is noteworthy that this attack does not require the attacker to send RST_STREAM frames, thus completely bypassing the mitigations of “Fast Reset,” while achieving the same attack effect as “Fast Reset.”

The Computer Emergency Response Team Coordination Center (CERT/CC) stated in an announcement that MadeYouReset exploits the mismatch between the HTTP/2 specification and the internal architecture of many actual web servers due to stream resets, leading to resource exhaustion — attackers can leverage this to launch DoS attacks.

Imperva stated: “The discovery of the server-triggered ‘Fast Reset’ vulnerability highlights the increasing complexity of modern protocol abuse. As HTTP/2 remains foundational to web infrastructure, preventing subtle and specification-compliant attacks like MadeYouReset is more critical than ever.”

New HTTP/2 'MadeYouReset' Vulnerability Can Launch Large-Scale DoS AttacksNew HTTP/2 'MadeYouReset' Vulnerability Can Launch Large-Scale DoS Attacks

HTTP/1.1 is destined for obsolescence

At the time of the disclosure of the MadeYouReset vulnerability, application security company PortSwigger detailed a new type of HTTP/1.1 synchronization attack (also known as HTTP request smuggling), including a variant called 0.CL that puts millions of websites at risk of being maliciously taken over. Akamai (CVE-2025-32094) and Cloudflare (CVE-2025-4366) have patched these issues.

HTTP request smuggling is a security vulnerability that affects application layer protocols, exploiting inconsistencies in how front-end and back-end servers parse non-compliant HTTP requests according to RFC specifications, allowing attackers to “smuggle” requests and bypass security measures.

James Kettle from PortSwigger stated: “HTTP/1.1 has a fatal flaw: attackers can create significant ambiguity about the end position of one request and the start position of the next request. HTTP/2 and above eliminate this ambiguity, making synchronization attacks nearly impossible. However, merely enabling HTTP/2 on edge servers is not enough — it must be used for upstream connections between reverse proxies and origin servers.”

Researchers Uncover Windows EPM Hijacking Attack Chain: Domain Privilege Escalation Achievable

2025-08-12

New HTTP/2 'MadeYouReset' Vulnerability Can Launch Large-Scale DoS Attacks

Claude Releases Audit Tool claude-code-security-review, Is the Era of AI Code Auditing Here?

2025-08-08

New HTTP/2 'MadeYouReset' Vulnerability Can Launch Large-Scale DoS Attacks

Famous AI Programming Tool Cursor Exposes Remote Code Execution Vulnerability, Software Supply Chain Security Under Threat

2025-08-07

New HTTP/2 'MadeYouReset' Vulnerability Can Launch Large-Scale DoS Attacks

Surpassing Humanity, AI-Written Malicious Mining Software “Koske”

2025-07-29

New HTTP/2 'MadeYouReset' Vulnerability Can Launch Large-Scale DoS Attacks

If you like this article, please like, share, and follow us with a single click!

New HTTP/2 'MadeYouReset' Vulnerability Can Launch Large-Scale DoS Attacks

Leave a Comment