MadeYouReset (CVE-2025-8671): New HTTP/2 DoS Vulnerability Bypasses Rapid Reset Defenses

Overview

A new HTTP/2 protocol vulnerability—dubbed “MadeYouReset” and tracked as CVE-2025-8671—has been disclosed, enabling attackers to conduct high-volume denial-of-service (DoS) attacks that bypass defensive measures introduced for the earlier Rapid Reset flaw (CVE-2023-44487).

The issue arises from incorrect handling of RST_STREAM frames in multiple HTTP/2 implementations. Instead of terminating backend processing when streams are reset, affected servers continue handling requests. This bypasses the SETTINGS_MAX_CONCURRENT_STREAMS safeguard, allowing attackers to open virtually unlimited streams and overwhelm resources.

Impact: CPU exhaustion, memory leaks, application instability, and potential crashes.

---

Vulnerability Summary

Field	Value
CVE ID	CVE-2025-8671 (plus vendor-specific CVEs)
Class	Denial-of-Service (DoS)
Protocol	HTTP/2
Related CVE	CVE-2023-44487 (Rapid Reset)
Impact	CPU/memory exhaustion → service downtime
Prerequisites	Remote access to HTTP/2 endpoints

---

Affected Products & CVEs

Vendor / Product	CVE ID	Affected Versions	Fixed Versions / Mitigations
Apache Tomcat	CVE-2025-48989	11.0.0-M1 → 11.0.9; 10.1.0-M1 → 10.1.43; 9.0.0.M1 → 9.0.107	11.0.10+, 10.1.44+, 9.0.108+
F5 BIG-IP	CVE-2025-54500	Next (20.3.0), SPK 2.0.0–2.0.2, CNF 2.0.0–2.0.2, K8s 2.0.0, BIG-IP 17.5.0–17.5.1, 17.1.0–17.1.2, 16.1.0–16.1.6, 15.1.0–15.1.10	Hotfixes available; mitigation: disable HTTP/2 or remove F5SPKIngressHTTP2
Netty	CVE-2025-55163	netty-codec-http2 ≤ 4.2.3.Final, ≤ 4.1.123.Final	Patched in 4.2.4.Final, 4.1.124.Final
Fastly (H2O fork)	CVE-2025-8671	Releases < 25.17	Fixed in release 25.17

---

Exploitation Path

Attackers exploit MadeYouReset by:

1. Opening valid HTTP/2 streams.
2. Sending crafted frames (WINDOW_UPDATE, PRIORITY, DATA, HEADERS).
3. Triggering server-initiated RST_STREAM responses.
4. Exploiting faulty implementations where the backend still processes canceled requests.
5. Repeating indefinitely to overload CPU/memory resources, causing slowdown or crash.

This effectively bypasses Rapid Reset protections and enables persistent DoS attacks.

---

Detection Guidance

For F5 BIG-IP and other HTTP/2 platforms, monitor for:

• High volumes of RST_STREAM (sent) paired with WINDOW_UPDATE (received).
• Red flags include:
  • Rapid growth in reset streams vs legitimate requests
  • CPU utilization spikes without proportional traffic volume

If CPU impact is minimal → continue monitoring.
If consumption spikes → apply hotfix or patch immediately.

---

Recommendations

• Apply patches/hotfixes:

  • Apache → 11.0.10+, 10.1.44+, 9.0.108+
  • Netty → 4.2.4.Final or 4.1.124.Final
  • F5 BIG-IP → vendor hotfixes
  • Fastly → release 25.17

• Temporary mitigations (if patch not possible):

  • Disable HTTP/2 (fallback to HTTP/1.1).
  • Use rate-limiting and anomaly detection for HTTP/2 traffic.

• Active monitoring:

  • Track RST_STREAM abuse and resource spikes.
  • Audit for CPU/memory exhaustion tied to HTTP/2 streams.

• Impact assessment:

  • Evaluate downtime risks in environments heavily dependent on HTTP/2 optimizations.

---

Conclusion

The MadeYouReset (CVE-2025-8671) flaw represents a new class of HTTP/2 protocol abuse, sidestepping prior Rapid Reset mitigations.

Organizations using HTTP/2 infrastructures should:

• Patch aggressively
• Apply temporary mitigations where upgrades aren’t possible
• Monitor protocol-level anomalies until full remediation

This vulnerability underscores how protocol logic gaps remain attractive for resilient DoS campaigns.