Redazione RHC : 18 August 2025 08:53
A vulnerability called MadeYouReset has been discovered in several HTTP/2 implementations. This vulnerability can be exploited to launch powerful DDoS attacks.
Researchers at Imperva, Deepness Lab, and Tel Aviv University write that the vulnerability has been assigned the primary identifier CVE-2025-8671. However, the bug affects products from various vendors, many of which have already released their own CVEs and security bulletins: Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), Netty (CVE-2025-55163), Vert.x and Varnish.
Solutions from Mozilla, Wind River, Zephyr Project, Google, IBM, and Microsoft have also been reported to be vulnerable, which could expose vulnerable systems to risk in one way or another.
“MadeYouReset bypasses the standard server limit of 100 simultaneous HTTP/2 requests per client TCP connection,” the experts explain. “This limit is designed to protect against DoS attacks by limiting the number of concurrent requests a client can send. With MadeYouReset, an attacker can send thousands of requests, creating DoS conditions for legitimate users, and in some implementations, this can lead to crashes and out-of-memory conditions.”
The MadeYouReset vulnerability is similar to the Rapid Reset and Continuation Flood issues, which have been exploited in powerful zero-day DDoS attacks.
Like these two attacks, which exploit RST_STREAM and CONTINUATION frames in the HTTP/2 protocol, MadeYouReset relies on Rapid Reset and bypasses the protection that limits the number of streams a client can cancel via RST_STREAM.
The attack exploits the fact that the RST_STREAM frame is used for both client-initiated cancellation and flow error reporting. MadeYouReset works by sending specially crafted frames that cause unexpected protocol violations, forcing the server to reset the flow using RST_STREAM.
“For MadeYouReset to trigger, a flow must start with a valid request that the server begins working on, and then throw an error so that the server falls back to RST_STREAM while the backend continues processing the response,” the researchers write. “By creating certain invalid control frames or interrupting the protocol at the right time, we can force the server to use RST_STREAM on a flow that already contained a valid request.”
Furthermore, Imperva points out that MadeYouReset is mixed with normal traffic, making such attacks difficult to detect.
Experts recommend a number of measures that should help protect against MadeYouReset, including using stricter protocol validation, implementing more rigorous flow state monitoring to reject invalid transitions, implementing connection-level rate control, and implementing anomaly detection and behavioral monitoring systems.
Redazione