Researchers Yaniv Harel, Gal Bar Nahum, and Anat Bremler-Barr have found that a new attack method called MadeYouReset can exploit HTTP/2 implementations and enable denial-of-service attacks, according to The Hacker News.
The flaw, assigned the identifier CVE-2025-8671, bypasses the 100-concurrent-request limit in HTTP/2. It exploits the RST_STREAM frame used for stream cancellation and error signaling, sending specially crafted frames that force servers to reset streams while still processing requests. "With MadeYouReset, an attacker can send many thousands of requests, creating a denial-of-service condition for legitimate users and, in some vendor implementations, escalating into out-of-memory crashes, the researchers said. The vulnerability affects several implementations including Netty, Apache Tomcat, and F5 BIG-IP. The MadeYouReset technique builds on earlier HTTP/2 flaws such as Rapid Reset and HTTP/2 CONTINUATION Flood, bypassing the existing mitigations designed to limit stream resets. According to a CERT Coordination Center advisory, the attack exploits mismatches between HTTP/2 specifications and server architectures, resulting in resource exhaustion that can be used for DOS attacks.
The flaw, assigned the identifier CVE-2025-8671, bypasses the 100-concurrent-request limit in HTTP/2. It exploits the RST_STREAM frame used for stream cancellation and error signaling, sending specially crafted frames that force servers to reset streams while still processing requests. "With MadeYouReset, an attacker can send many thousands of requests, creating a denial-of-service condition for legitimate users and, in some vendor implementations, escalating into out-of-memory crashes, the researchers said. The vulnerability affects several implementations including Netty, Apache Tomcat, and F5 BIG-IP. The MadeYouReset technique builds on earlier HTTP/2 flaws such as Rapid Reset and HTTP/2 CONTINUATION Flood, bypassing the existing mitigations designed to limit stream resets. According to a CERT Coordination Center advisory, the attack exploits mismatches between HTTP/2 specifications and server architectures, resulting in resource exhaustion that can be used for DOS attacks.
