A critical vulnerability discovered across numerous HTTP/2 implementations has exposed a dangerous protocol-level vulnerability that enables threat actors to orchestrate potent denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.
Tracked as CVE-2025-8671 and colloquially known as “MadeYouReset,” this vulnerability exploits a fundamental mismatch between the HTTP/2 specification and real-world server implementations.
Security researchers from Tel Aviv University—Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel—discovered the vulnerability, which represents a concerning evolution of similar attacks that have plagued the internet for years.
The vulnerability operates by abusing server-sent stream resets, creating a discrepancy between how many active HTTP/2 streams a server believes it’s handling versus the actual number of backend HTTP requests it’s processing.
When an attacker rapidly triggers server resets using malformed frames or flow control errors, the protocol considers these reset streams as closed and inactive.
However, backend servers continue processing the requests despite the stream reset, allowing an attacker to force a single connection to handle an unbounded number of concurrent HTTP/2 requests.
This fundamental architectural oversight transforms a stream cancellation feature into a weapon for resource exhaustion.
Understanding the Technical Exploitation
HTTP/2 introduced stream cancellation capabilities, allowing both clients and servers to close streams at any point during communication immediately.
The protocol includes a SETTINGS_MAX_CONCURRENT_STREAMS parameter designed to prevent precisely this type of attack by limiting the number of active streams per session.
In theory, this safeguard should protect servers from being overwhelmed by malicious stream requests.
However, the vulnerability exploits a critical implementation vulnerability: when servers reset streams initiated by attackers, the protocol accounting system marks these streams as closed and no longer counts them against the concurrent stream limit. Meanwhile, backend processing continues unabated.
By repeatedly sending reset requests, attackers manipulate servers into processing exponentially more requests than any safety parameter allows.
The protocol sees these as closed, inactive streams, but the server’s backend continues handling them, ultimately leading to severe resource exhaustion.
Depending on implementation specifics, victims may experience catastrophic CPU overload or devastating memory exhaustion.
Widespread Industry Impact and Response
MadeYouReset closely resembles CVE-2023-44487, commonly called “Rapid Reset,” which exploited client-sent stream resets.
This continuity of vulnerability classes suggests that HTTP/2 implementations have systematically failed to properly account for the lifecycle management of stream resets.
The advisory indicates that numerous major vendors and projects are affected, including Apache Tomcat, Mozilla, Red Hat, SUSE Linux, Netty, gRPC, Fastly, Varnish Software, the Eclipse Foundation, and AMPHP.
Many of these vendors have already released patches or public statements addressing the vulnerability. Apache Tomcat specifically received CVE-2025-48989 to describe its implementation of this vulnerability.
The Computer Emergency Response Team Coordination Center (CERT/CC) has recommended that vendors implement stricter limitations on the number and rate of RST_STREAM frames sent from servers, alongside comprehensive reviews of their HTTP/2 implementations.
Organizations running affected HTTP/2 infrastructure should prioritize patching immediately. The vulnerability’s DDoS potential makes it particularly attractive to threat actors seeking to conduct large-scale attacks against critical infrastructure.
Security teams should consult vendor advisories, apply available patches, and consider implementing additional rate-limiting controls on reset frames until patches are deployed. Further technical details and mitigation strategies are available through the vulnerability reporters’ supplemental materials.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.