F5 Networks has disclosed a new HTTP/2 vulnerability affecting multiple BIG-IP products that could allow attackers to launch denial-of-service attacks against enterprise networks.
The vulnerability, designated CVE-2025-54500 and published on August 13, 2025, exploits a flaw in HTTP/2 implementation that enables malicious actors to overwhelm systems using specially crafted control frames, potentially disrupting critical network infrastructure for organizations worldwide.
New Attack Targets HTTP/2 Protocol
The newly identified vulnerability, known as the “HTTP/2 MadeYouReset Attack,” represents a significant security concern for organizations relying on F5’s BIG-IP systems for load balancing and application delivery.
The attack works by exploiting malformed HTTP/2 control frames to break the maximum concurrent streams limit, allowing remote, unauthenticated attackers to cause substantial increases in CPU usage that can lead to complete system denial-of-service.
F5’s security advisory classifies this vulnerability under CWE-770: Allocation of Resources Without Limits or Throttling, with a medium severity rating of 5.3 on the CVSS v3.1 scale and 6.9 on the newer CVSS v4.0 scale.
Importantly, F5 emphasizes that this is exclusively a data plane issue with no control plane exposure, meaning the vulnerability affects traffic processing rather than system management functions.
The vulnerability was discovered and reported by researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel, who followed responsible disclosure practices by working with F5 to address the issue before public announcement.
Key Technical Details:
- Attack Method: Malformed HTTP/2 control frames bypass maximum concurrent streams limit.
- Required Access: Remote, unauthenticated access sufficient for exploitation.
- Primary Impact: CPU resource exhaustion leading to denial-of-service conditions.
- Affected Component: Virtual servers configured with HTTP/2 profiles only.
- Attack Classification: CWE-770 resource allocation vulnerability.
- Discovery Timeline: Responsible disclosure process followed by security researchers.
Widespread F5 Product Impact
The vulnerability affects a broad range of F5 products, with BIG-IP systems bearing the brunt of the impact across multiple versions.
BIG-IP products running versions 15.1.0 through 17.5.1 are considered vulnerable when configured with HTTP/2 profiles.
The affected product lines include BIG-IP LTM, APM, ASM, DNS, and numerous other modules across the 15.x, 16.x, and 17.x branches.
F5 has already released engineering hotfixes for several product branches, including Hotfix-BIGIP-17.5.1.0.80.7-ENG.iso for the 17.x branch and Hotfix-BIGIP-16.1.6.0.27.3-ENG.iso for 16.x systems.
However, no fixes are currently available for the 15.x branch, leaving administrators with older systems to rely on alternative mitigation strategies.
Notably, several F5 products remain unaffected by this vulnerability, including BIG-IQ Centralized Management, F5 Distributed Cloud services, F5OS systems, and all NGINX products.
F5 Silverline services are vulnerable but only when HTTP/2 is enabled on proxy configurations.
Mitigation and Security Tips
For organizations unable to immediately apply patches, F5 recommends several mitigation approaches.
The most straightforward solution involves disabling HTTP/2 and reverting to standard HTTP for systems that can accommodate this change.
This effectively eliminates the attack vector while maintaining basic functionality.
For BIG-IP ASM and Advanced WAF users, F5 suggests implementing DoS protection profiles configured with TPS and stress-based attributes, including Behavioral DoS Detection and Mitigation capabilities.
These profiles should be associated with HTTP/2 virtual servers and configured with appropriate threshold and mitigation settings specific to each environment.
System administrators should monitor HTTP/2 profile statistics for signs of attack, particularly watching for disproportionate numbers of RST_STREAM frames sent and WINDOW_UPDATE frames received compared to normal client traffic.
Significant increases in CPU load accompanied by these statistical anomalies may indicate active exploitation attempts requiring immediate attention.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
