New HTTP/2 Vulnerability ‘MadeYouReset’ Exposed: Potential for Large-Scale DoS Attacks

Vulnerability Overview

Recently, security researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel discovered a new vulnerability in the HTTP/2 protocol, named ‘MadeYouReset’ (CVE-2025-8671). This vulnerability allows attackers to bypass the server’s limit on the number of concurrent requests within a single TCP connection (typically 100), enabling large-scale denial of service (DoS) attacks.

Technical Details

The ‘MadeYouReset’ vulnerability exploits the dual-purpose nature of the RST_STREAM frame in the HTTP/2 protocol. This frame can be used both for client-initiated request cancellation and to indicate stream errors. Attackers can trigger protocol violations by carefully crafted frames, forcing the server to actively send RST_STREAM frames, thereby bypassing existing Rapid Reset attack mitigations.

The six key primitives for exploiting the vulnerability include:

  1. WINDOW_UPDATE frame with an increment of 0
  2. PRIORITY frame with a length not equal to 5 (the only valid length for PRIORITY frames is 5)
  3. PRIORITY frame that makes the stream dependent on itself
  4. WINDOW_UPDATE frame that exceeds the maximum allowed size of 2^31-1
  5. HEADERS frame sent after the client has closed the stream (via the END_STREAM flag)
  6. DATA frame sent after the client has closed the stream (via the END_STREAM flag)

Scope of Impact

This vulnerability affects several mainstream HTTP/2 implementations, including:

  • Apache Tomcat (CVE-2025-48989)
  • F5 BIG-IP (CVE-2025-54500)
  • Netty (CVE-2025-55163)

The CERT/CC has issued a notice indicating that this vulnerability exploits the mismatch between the HTTP/2 specification and the actual internal architecture of web servers, leading to resource exhaustion.

Impact of Attacks

Successful exploitation of this vulnerability can lead to:

  1. Exhaustion of server resources, resulting in denial of service
  2. Potential memory crashes in certain vendor implementations
  3. Complete bypass of existing protections against Rapid Reset attacks
  4. Achieving destructive effects similar to those of Rapid Reset attacks

Related Background

This is another high-risk DoS vulnerability found in the HTTP/2 protocol, following Rapid Reset (CVE-2023-44487) and the HTTP/2 CONTINUATION Flood. Imperva experts noted: “The server-triggered Rapid Reset vulnerability highlights the evolving complexity of modern protocol abuse. As HTTP/2 remains foundational to web infrastructure, preventing subtle attacks like MadeYouReset that conform to specifications is more critical than ever.”

Click below>>>Read the original article<<< for more security news

Leave a Comment