Vulnerability Overview
Recently, security researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel discovered a new vulnerability in the HTTP/2 protocol, named ‘MadeYouReset’ (CVE-2025-8671). This vulnerability allows attackers to bypass the server’s limit on the number of concurrent requests within a single TCP connection (typically 100), enabling large-scale denial of service (DoS) attacks.
Technical Details
The ‘MadeYouReset’ vulnerability exploits the dual-purpose nature of the RST_STREAM frame in the HTTP/2 protocol. This frame can be used both for client-initiated request cancellation and to indicate stream errors. Attackers can trigger protocol violations by carefully crafted frames, forcing the server to actively send RST_STREAM frames, thereby bypassing existing Rapid Reset attack mitigations.
The six key primitives for exploiting the vulnerability include:
- WINDOW_UPDATE frame with an increment of 0
- PRIORITY frame with a length not equal to 5 (the only valid length for PRIORITY frames is 5)
- PRIORITY frame that makes the stream dependent on itself
- WINDOW_UPDATE frame that exceeds the maximum allowed size of 2^31-1
- HEADERS frame sent after the client has closed the stream (via the END_STREAM flag)
- DATA frame sent after the client has closed the stream (via the END_STREAM flag)
Scope of Impact
This vulnerability affects several mainstream HTTP/2 implementations, including:
- Apache Tomcat (CVE-2025-48989)
- F5 BIG-IP (CVE-2025-54500)
- Netty (CVE-2025-55163)
The CERT/CC has issued a notice indicating that this vulnerability exploits the mismatch between the HTTP/2 specification and the actual internal architecture of web servers, leading to resource exhaustion.
Impact of Attacks
Successful exploitation of this vulnerability can lead to:
- Exhaustion of server resources, resulting in denial of service
- Potential memory crashes in certain vendor implementations
- Complete bypass of existing protections against Rapid Reset attacks
- Achieving destructive effects similar to those of Rapid Reset attacks
Related Background
This is another high-risk DoS vulnerability found in the HTTP/2 protocol, following Rapid Reset (CVE-2023-44487) and the HTTP/2 CONTINUATION Flood. Imperva experts noted: “The server-triggered Rapid Reset vulnerability highlights the evolving complexity of modern protocol abuse. As HTTP/2 remains foundational to web infrastructure, preventing subtle attacks like MadeYouReset that conform to specifications is more critical than ever.”
Click below>>>Read the original article<<< for more security news