data breaches

New HTTP/2 ‘MadeYouReset’ Flaw Enables Massive DoS Attacks

Published

2 days ago

on

New CVE-2025-8671 technique bypasses Rapid Reset defenses; patches rolling out for Tomcat, Netty, F5 as vendors coordinate with CERT/CC.

A newly disclosed HTTP/2 vulnerability dubbed “MadeYouReset” (CVE-2025-8671) lets attackers overwhelm websites and APIs by tricking servers into resetting their own streams—evading many Rapid Reset mitigations from 2023. Researchers at Tel Aviv University coordinated disclosure with CERT/CC as major vendors issued fixes and advisories. No in-the-wild abuse has been observed so far.

A protocol-level weakness in HTTP/2 is exposing popular servers to large-scale denial-of-service (DoS) attacks, security researchers warned this week, prompting a coordinated vendor response and emergency patches across web infrastructure stacks worldwide.

What’s new: Researchers Gal Bar Nahum, Prof. Anat Bremler-Barr, and Dr. Yaniv Harel detailed MadeYouReset, a technique that bypasses the built-in HTTP/2 concurrency limit by coercing servers to issue RST_STREAM resets themselves, allowing effectively unbounded parallel work on the backend. CERT/CC assigned umbrella CVE-2025-8671, with product-specific CVEs for affected stacks (e.g., Apache Tomcat CVE-2025-48989; F5 BIG-IP CVE-2025-54500; Netty CVE-2025-55163).

Who’s affected / vendor status:
CERT/CC lists multiple impacted implementations and patch guidance. Tomcat users should upgrade to 11.0.10, 10.1.44, or 9.0.108. Varnish released fixed builds (7.7.2, 7.6.4, 6.0.15) and documents a temporary HTTP/2 disable switch as a mitigation; Akamai says its HTTP/2 stack was not vulnerable; Cloudflare reports existing Rapid Reset defenses also neutralize this variant on its edge.

  • It lets an attacker create effectively unbounded concurrent work on servers,” said discoverer Gal Bar Nahum.
  • CERT/CC notes the bug “exploits a mismatch … resulting in resource exhaustion.”
  • Cloudflare says MadeYouReset “only impacts a relatively small number of HTTP/2 implementations.”
  • Akamai reports “no live attacks … have been observed” and credits coordinated disclosure before disruption.

Technical analysis — how “MadeYouReset” works

Concept: Rapid Reset (CVE-2023-44487) abused client-sent RST_STREAM to cancel streams faster than servers could stop backend work. MadeYouReset achieves the same outcome without the client sending RST_STREAM—it provokes the server to issue RST_STREAM by injecting carefully timed control-frame violations after a valid request has begun processing. Because the stream is “closed” from the protocol’s perspective, it falls out of MAX_CONCURRENT_STREAMS accounting while backend computation continues, enabling near-unbounded concurrency on a single connection.

Observed “primitives” that force server-sent RST_STREAM (examples):

  • WINDOW_UPDATE with increment = 0 (illegal) or a value that overflows the 2³¹−1 window cap.
  • PRIORITY frame with invalid length or self-dependency.
  • HEADERS/DATA frames sent after END_STREAM on a half-closed stream.
    These protocol misuses are syntactically valid at the frame level but semantically invalid in sequence, causing the server to reset the stream after work has started—bypassing client-RST counters deployed post-Rapid Reset.

Affected stacks / CVEs (early list): Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), Netty (CVE-2025-55163); vendor matrices continue to update under CERT/CC VU#767506. Imperva’s write-up also notes impacts for Jetty and IBM WebSphere in some configurations.

Why defenses failed: Many 2023 mitigations rate-limited client RST_STREAM frames. MadeYouReset sidesteps those counters by ensuring the server emits the resets, keeping the client’s RST_STREAM count at zero. Robust implementations also short-circuit backend work on error; vulnerable ones allow work to continue, creating a request/stream-accounting mismatch attackers can amplify.

Impact & response

  • Exploitation: As of Aug. 15, no active exploitation has been observed, but the attack is practical and PoC behaviors have been demonstrated in research labs. Operators should patch preemptively.
  • Potential blast radius: High-traffic APIs, reverse proxies, app servers, and CDNs that terminate HTTP/2 and forward to heavy backends are most at risk of CPU/memory exhaustion or, in some stacks, OOM crashes.
  • Coordinated disclosure: Researchers notified vendors in late May; public disclosure Aug. 13–14 with vendor guidance consolidated under CERT/CC VU#767506.

Mitigations (what to do now)

  1. Patch/upgrade:
    • Tomcat11.0.10 / 10.1.44 / 9.0.108.
    • Varnish7.7.2 / 7.6.4 / 6.0.15 (Enterprise 6.0.14r5).
    • Rust h2 crate (used by Pingora, etc.) → ≥ 0.4.11.
    • Track vendor advisories for F5 BIG-IP, Netty, Jetty, WebSphere, etc. via CERT/CC VU#767506.
  2. Protocol-level hardening (for implementers/operators):
    • Reject malformed/ill-timed frames early (e.g., WINDOW_UPDATE=0, window overflow, invalid PRIORITY length; HEADERS/DATA after END_STREAM).
    • Enforce strict stream-state checks so backend work is aborted on stream errors, not just response transmission.
    • Rate-limit connection-level protocol errors and server-sent resets, not just client RST_STREAM counts.
  3. Operational safeguards:
    • Autoscale front-ends; monitor RST_STREAM/GOAWAY error rates and per-connection protocol-error churn as an attack signal.
    • Temporary fallback: where patching is not immediately possible, disable HTTP/2 on vulnerable edges (ALPN remove h2) while maintaining TLS—last resort due to performance impact.

Background

Rapid Reset (CVE-2023-44487) triggered record-setting L7 DDoS in 2023 and catalyzed stream-reset rate-limits across the industry. MadeYouReset is a server-triggered variant that defeats those client-side counters. Akamai says HTTP/3 has not seen an analogous widely-exploitable variant to date due to QUIC’s different stream management.

Conclusion

MadeYouReset underscores how spec-compliant edge cases can be weaponized when implementation details diverge from protocol assumptions. Expect further protocol-abuse research and defensive telemetry around server-sent resets. Teams should patch now, tighten frame validation and state-machine enforcement, and expand detection beyond client-initiated resets.

Sources: The Hacker News report; CERT/CC VU#767506; Cloudflare analysis; Akamai blog; Imperva technical write-up; Varnish advisory. The Hacker NewsCERT Coordination CenterThe Cloudflare BlogAkamaiImpervadocs.varnish-software.com

Related Topics:

Trending

Exit mobile version