New HTTP/2 ‘MadeYouReset’ Vulnerability Can Trigger Large-Scale DoS Attacks

New HTTP/2 'MadeYouReset' Vulnerability Can Trigger Large-Scale DoS Attacks

Multiple vulnerabilities have been discovered in HTTP/2 that are susceptible to a new attack technique called MadeYouReset, which can be exploited to launch powerful denial-of-service (DoS) attacks.

Researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel stated: “MadeYouReset bypasses the limits typically imposed by servers, which allow a maximum of 100 concurrent HTTP/2 requests per TCP connection from a client. This limit is intended to mitigate DoS attacks by restricting the number of requests a client can send simultaneously.

“By exploiting MadeYouReset, attackers can send thousands of requests, creating denial-of-service conditions for legitimate users, and in some vendor implementations, escalate to out-of-memory crashes.”

The vulnerability has been assigned the common CVE identifier CVE-2025-8671, but the issue affects various products, including Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), and Netty (CVE-2025-55163).

MadeYouReset is the latest vulnerability in HTTP/2 following Rapid Reset (CVE-2023-44487) and HTTP/2 CONTINUATION Flood, which could be weaponized to launch large-scale DoS attacks.

Just like the other two attacks that exploit RST_STREAM frames and CONTINUATION frames in the HTTP/2 protocol, MadeYouReset builds on Rapid Reset and its mitigations, which limit the number of streams a client can cancel using RST_STREAM.

Specifically, it exploits the characteristic of RST_STREAM frames that can be used for both client-initiated cancellations and signaling stream errors. The implementation involves sending carefully crafted frames that trigger protocol violations in unexpected ways, prompting the server to reset the stream by issuing RST_STREAM.

Bar Nahum explained: “For MadeYouReset to work, the stream must start with a valid request being processed by the server, then trigger a stream error so that the server issues RST_STREAM while the backend continues to compute the response.”

“By crafting certain invalid control frames or violating protocol ordering at the right moment, we can make the server send RST_STREAM for streams that have already carried valid requests.”

The six primitives that cause the server to send RST_STREAM frames include –

  • WINDOW_UPDATE frame with an increment of 0
  • PRIORITY frame with a length not equal to 5 (the only valid length)
  • PRIORITY frame that makes the stream dependent on itself
  • WINDOW_UPDATE frame with an increment that exceeds 2^31 − 1 (the maximum allowed window size)
  • HEADERS frame sent after the client closes the stream (with the END_STREAM flag)
  • DATA frame sent after the client closes the stream (with the END_STREAM flag)

This attack is particularly notable because it eliminates the need for attackers to send RST_STREAM frames, thereby completely bypassing the Rapid Reset mitigations while achieving the same impact.

The CERT Coordination Center (CERT/CC) stated in an announcement that MadeYouReset exploits the mismatch between the HTTP/2 specification and the internal architecture of many real-world web servers regarding stream resets, leading to resource exhaustion—attackers can leverage this to trigger DoS attacks.

Imperva stated: “The discovery of the server-triggered Rapid Reset vulnerability highlights the increasingly complex state of modern protocol abuse. As HTTP/2 remains foundational to web infrastructure, protecting it from subtle and specification-compliant attacks like MadeYouReset is more important than ever.”

HTTP/1.1 Must Die#

The disclosure of MadeYouReset coincides with the application security company PortSwigger revealing a new type of HTTP/1.1 asynchronous attack (also known as HTTP request smuggling), which includes a variant called 0.CL that puts millions of websites at risk of malicious takeover. Akamai (CVE-2025-32094) and Cloudflare (CVE-2025-4366) have addressed these issues.

HTTP request smuggling is a security vulnerability that affects application layer protocols, exploiting inconsistencies in how front-end and back-end servers parse non-compliant HTTP requests, allowing attackers to “smuggle” requests and bypass security measures.

James Kettle from PortSwigger stated: “HTTP/1.1 has a fatal flaw: attackers can create significant ambiguity, making it unclear where one request ends and the next begins. HTTP/2+ eliminates this ambiguity, making asynchronous attacks nearly impossible. However, merely enabling HTTP/2 on edge servers is not enough—it must be used for upstream connections between reverse proxies and origin servers.”

Update#

Multiple vendors have responded to the disclosure of MadeYouReset –

  • Akamai
  • Claris FileMaker
  • Cloudflare
  • Eclipse Vert.x
  • Fastly
  • Water
  • Super H2
  • LiteSpeed
  • Varnish Cache

Source: The Hacker News

Leave a Comment