‘MadeYouReset’ HTTP/2 flaw lets attackers DoS servers – Source: go.theregister.com

Security researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel have published details of a “common design flaw” in implementations of the HyperText Transfer Protocol 2 (HTTP/2) allowing those with ill intent to create “massive Denial of Service attacks”.

And, being the underpinnings of the modern web, HTTP/2 is widely deployed enough to mean that they had to coordinate disclosure with more than a hundred affected vendors.

“During recent research into HTTP/2, I found a DoS vulnerability I named MadeYouReset,” Nahum explained in a blog post introducing the issue. “It lets an attacker create effectively unbounded concurrent work on servers while bypassing HTTP/2’s built‑in concurrency limit.

It builds on the flaw behind 2023’s ‘Rapid Reset,’ with a neat twist that slips past the usual mitigation.”

First announced in 2012, HTTP/2 is still the most widely-used web protocol, despite public availability of its successor HTTP/3 which emerged in 2019. HTTP/2 brought a wealth of improvements over its first-generation predecessor, the brainchild of Sir Tim Berners-Lee at CERN. Sadly, it also brought with it no small number of bugs – including the one responsible for Nahum’s vulnerability discovery.

The flaw has been given the official identifier CVE-2025-8671 and, extends the earlier CVE-2023-44487 “Rapid Reset” vulnerability first disclosed in 2023 – which is, apparently, not yet fully fixed. Exploitation allows an attacker to bypass concurrency limits which would normally prevent a server from accepting requests for too much work. In Rapid Reset, miscreants bypass the limits by quickly cancelling a request; in MadeYouReset, they can trick the server into cancelling the request on the client’s behalf – bypassing the protections put in place back in 2023.

“From my tests,” Nahum explained, “due to the asymmetric nature of sending a request versus computing a response – and the fact that the attacker can easily create an unbounded number of active requests – most servers are susceptible to a complete DoS, with a significant number also susceptible to an out‑of‑memory (OOM) crash.”

When Nahum says “most servers,” it’s no exaggeration. Because the flaw is common to most implementations of HTTP/2, researchers had to notify more than one hundred vendors – big names including Apache Tomcat, H2O, Cisco, Fastly, Mozilla, Netty, Varnish Software, Wind River, the Zephyr Project, Google, IBM, and Microsoft – that they were shipping, running, or otherwise exposing vulnerable systems.

Thales’ Imperva, which “partially supported” the research, has suggested a range of mitigation strategies including using stricter protocol validation, deploying more rigorous stream state tracking to reject invalid transitions, implementing connection-level rate controls, and – naturally enough, given it sells exactly this – deploying anomaly detection and behavioral monitoring systems.

“MadeYouReset serves as a reminder,” the company said in a statement: “even well-formed traffic can be weaponized if we don’t look closely enough.”

If you’re running HTTP/2 servers or proxies, the company advises you to check with your vendors about whether a patch is available for the MadeYouReset flaw. Apache Tomcat, Fastly, and Varnish Software have announced patches. Mozilla has said that “many of [its] websites and services” will need to be patched, the Zephyr Project has announced it has begun an investigation, and Red Hat has said that “while some Red Hat offerings include affected components” they are covered by remediation “already tracked by other specific CVEs.”

Cisco, meanwhile, stated that it is “not directly affected by this vulnerability” while admitting that “Cisco products and services may be affected… as a result of using an affected third-party software library.”

The H2O server is patched against attack from commit #4729b66 onwards, with Fastly announcing it has upgraded its internal H2O fork accordingly.

You can find more information on the Deepness Lab blog and in the CVE.