Security researchers have disclosed a critical vulnerability in the HTTP/2 protocol that could enable massive distributed denial-of-service (DDoS) attacks, potentially affecting millions of web servers worldwide.
The flaw, dubbed “MadeYouReset” and assigned CVE-2025-8671, was publicly disclosed on August 13, 2025, by researchers who warn it could surpass the impact of the devastating “Rapid Reset” attacks from 2023.
Vulnerability Overview
The MadeYouReset vulnerability allows attackers to bypass HTTP/2’s built-in concurrency limits, enabling them to create unbounded concurrent work on target servers with minimal resources.
This represents a significant escalation from traditional DDoS methods, as attackers can overwhelm servers while using far less bandwidth and computational power than conventional attacks.
| Project | CVE |
| General HTTP/2 | CVE-2025-8671 |
| Netty | CVE-2025-55163 |
| Apache Tomcat | CVE-2025-48989 |
| F5 BIG-IP | CVE-2025-54500 |
| H2O | CVE-2025-8671 |
| Swift-NIO-HTTP2 | Pending |
The research was conducted jointly by security expert Gal Bar-Nahum with Professor Anat Bremler-Barr and Yaniv Harel from Tel Aviv University, with partial support from Imperva.
The vulnerability builds upon the foundation of 2023’s Rapid Reset attack but introduces a clever twist that circumvents the common mitigation strategies deployed after the previous incident.
Rapid Attack TestHTTP/2 includes a parameter called MAX_CONCURRENT_STREAMS, typically set to 100, which limits the number of active streams a client can maintain simultaneously.
This mechanism was designed to prevent server overload from malicious clients opening too many concurrent requests.
The original Rapid Reset attack exploited request cancellation features, allowing attackers to open streams and immediately cancel them using RST_STREAM frames.
While servers continued processing these cancelled requests, they no longer counted toward the concurrency limit, enabling unbounded attack potential.
MadeYouReset takes a different approach entirely. Instead of the client canceling requests, the new technique tricks the server into canceling them automatically.
Researchers identified six different methods to trigger server-initiated RST_STREAM frames while maintaining valid backend processing, completely bypassing the RST_STREAM counting mitigations implemented after Rapid Reset.
The vulnerability affects virtually all HTTP/2-compliant implementations. Testing reveals that most servers can be driven into complete denial of service, with many experiencing out-of-memory crashes.
The attack’s effectiveness depends on server capacity, attacker bandwidth, and target resource complexity, but the asymmetric nature of the attack makes most implementations vulnerable.
Organizations running HTTP/2 servers should immediately review vendor advisories and apply available patches to mitigate this critical vulnerability.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
