‘MadeYouReset’ HTTP2 Vulnerability Enables Massive DDoS Attacks – Source: www.securityweek.com

Researchers have discovered another attack vector that can be exploited to launch massive distributed denial-of-service (DDoS) attacks.

The attack, dubbed MadeYouReset, is similar to Rapid Reset, which in 2023 was exploited in zero-day attacks that broke DDoS records in terms of requests per second (RPS). 

MadeYouReset, discovered by researchers at security firm Imperva and Tel Aviv University in Israel, leverages a design flaw in HTTP2 implementations.

“HTTP/2 introduced stream cancellation – the ability of both client and server to immediately close a stream at any time. However, after a stream is canceled, many implementations keep processing the request, compute the response, but don’t send it back to the client,” the CERT/CC at Carnegie Mellon University explained in an advisory. “This creates a mismatch between the amount of active streams from the HTTP/2 point of view, and the actual active HTTP requests the backend server is processing.”

“By opening streams and then rapidly triggering the server to reset them using malformed frames or flow control errors, an attacker can exploit a discrepancy created between HTTP/2 streams accounting and the servers active HTTP requests. Streams reset by the server are considered closed, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent HTTP/2 requests on a single connection.” CERT/CC added.

An attacker can continually send reset requests to the targeted server, resulting in highly disruptive DDoS attacks.

However, unlike in the case of Rapid Reset, the MadeYouReset method does not appear to have been exploited in the wild. 

The underlying vulnerability, tracked as CVE-2025-8671, has been found to impact projects and organizations such as AMPHP, Apache Tomcat, the Eclipse Foundation, F5, Fastly, gRPC, Mozilla, Netty, Suse Linux, Varnish Software, Wind River, and Zephyr Project.

Patches have already been released by Apache Tomcat developers, F5, Fastly, and Varnish. Others are still investigating the impact and extent of the flaw. Mozilla is working on patches for affected services and websites, but pointed out that software such as Firefox is not impacted. 

While the vulnerability has been assigned CVE-2025-8671, some of the impacted vendors have assigned their own CVE identifiers. 

Imperva pointed out that MadeYouReset blends with normal traffic, making it more difficult to detect. The company noted that the attack may bypass many existing defenses, but there are several mitigations and other solutions that can thwart attacks.

Related: New HTTP/2 DoS Attack Potentially More Severe Than Record-Breaking Rapid Reset

Related: DDoS Attacks Blocked by Cloudflare in 2025 Already Surpass 2024 Total

Related: Record-Breaking 7.3 Tbps DDoS Attack Targets Hosting Provider