New HTTP/2 ‘MadeYouReset’ Vulnerability Can Trigger Large-Scale DoS Attacks

New HTTP/2 'MadeYouReset' Vulnerability Can Trigger Large-Scale DoS AttacksNew HTTP/2 'MadeYouReset' Vulnerability Can Trigger Large-Scale DoS Attacks

A new attack technique known as MadeYouReset has been discovered, which affects various implementations of HTTP/2 and can be exploited to launch powerful denial-of-service (DoS) attacks.

Researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel stated: “MadeYouReset bypasses the limits typically imposed by servers, which allow a maximum of 100 concurrent HTTP/2 requests per TCP connection from a client. This limit is intended to mitigate DoS attacks by restricting the number of requests a client can send simultaneously.”

“By leveraging MadeYouReset, attackers can send thousands of requests, creating denial-of-service conditions for legitimate users, and in some vendor implementations, escalate to memory exhaustion crashes.”

The vulnerability has been assigned the common CVE identifier CVE-2025-8671 (CVSS score: 7.5), affecting various products including Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), and Netty (CVE-2025-55163).

MadeYouReset is the latest vulnerability in HTTP/2, following Rapid Reset (CVE-2023-44487) and HTTP/2 CONTINUATION Flood, which could be weaponized to launch large-scale DoS attacks.

Similar to the other two attacks that exploit RST_STREAM frames and CONTINUATION frames in the HTTP/2 protocol, MadeYouReset builds on Rapid Reset and its mitigations, which limit the number of streams that can be canceled using RST_STREAM by the client.

Specifically, it exploits the characteristic of RST_STREAM frames that can be used for both client-initiated cancellations and signaling stream errors. The implementation involves sending carefully crafted frames that trigger protocol violations in unexpected ways, prompting the server to reset the stream by issuing RST_STREAM.

Bar Nahum explained: “For MadeYouReset to work, the stream must start with a valid request being processed by the server, then trigger a stream error so that the server issues RST_STREAM while the backend continues to compute the response.”

“By crafting certain invalid control frames or violating protocol ordering at the right moment, we can cause the server to send RST_STREAM for streams that have already carried valid requests.”

The six primitives that cause the server to send RST_STREAM frames include –

  • WINDOW_UPDATE frame with an increment of 0

  • PRIORITY frame with a length not equal to 5 (the only valid length)

  • PRIORITY frame that makes the stream dependent on itself

  • WINDOW_UPDATE frame with an increment that exceeds 2^31 − 1 (the maximum allowed window size)

  • HEADERS frame sent after the client closes the stream (with the END_STREAM flag)

  • DATA frame sent after the client closes the stream (with the END_STREAM flag)

This attack is particularly notable because it eliminates the need for attackers to send RST_STREAM frames, thereby completely bypassing the Rapid Reset mitigations while achieving the same impact.

The CERT Coordination Center (CERT/CC) stated in an announcement that MadeYouReset exploits the mismatch between the HTTP/2 specification and the internal architecture of many real-world web servers regarding stream resets, leading to resource exhaustion—attackers can leverage this to trigger DoS attacks.

Imperva stated: “The discovery of the server-triggered rapid reset vulnerability highlights the increasingly complex state of modern protocol abuse. As HTTP/2 remains foundational to web infrastructure, protecting it from subtle and specification-compliant attacks like MadeYouReset is more important than ever.”

HTTP/1.1 must die

The disclosure of MadeYouReset coincides with the application security company PortSwigger revealing a new type of HTTP/1.1 asynchronous attack (also known as HTTP request smuggling), which includes a variant called 0.CL that exposes millions of websites to the risk of malicious takeover. Akamai (CVE-2025-32094) and Cloudflare (CVE-2025-4366) have addressed these issues.

HTTP request smuggling is a security vulnerability that affects application layer protocols, exploiting inconsistencies in how front-end and back-end servers parse non-compliant HTTP requests according to RFC, allowing attackers to “smuggle” requests and bypass security measures.

James Kettle from PortSwigger stated: “HTTP/1.1 has a fatal flaw: attackers can create significant ambiguity, making it unclear where one request ends and the next begins. HTTP/2+ eliminates this ambiguity, making asynchronous attacks nearly impossible. However, merely enabling HTTP/2 on edge servers is not enough—it must be used for upstream connections between reverse proxies and origin servers.”

Thank you for taking the time

New HTTP/2 'MadeYouReset' Vulnerability Can Trigger Large-Scale DoS Attacks

.

New HTTP/2 'MadeYouReset' Vulnerability Can Trigger Large-Scale DoS Attacks

.

New HTTP/2 'MadeYouReset' Vulnerability Can Trigger Large-Scale DoS Attacks

Read this article

New HTTP/2 'MadeYouReset' Vulnerability Can Trigger Large-Scale DoS Attacks

Click it, share, like, and see it all here

Leave a Comment