Ddos 
CERT/CC has issued a vulnerability note warning about a newly discovered flaw in multiple HTTP/2 implementations that could allow threat actors to launch highly effective denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks. The vulnerability, colloquially named “MadeYouReset” and tracked as CVE-2025-8671, stems from how many servers handle server-sent stream resets.
According to CERT/CC, “MadeYouReset exploits a mismatch caused by stream resets between HTTP/2 specifications and the internal architectures of many real-world web servers. This results in resource exhaustion, and a threat actor can leverage this vulnerability to perform a distributed denial of service attack (DDoS).”
The vulnerability bears similarities to CVE-2023-44487, better known as “Rapid Reset,” which abused client-sent stream resets. In contrast, MadeYouReset takes advantage of server-sent stream resets, triggering backend processing that continues even after the protocol considers the stream closed.
CERT/CC explains: “After a stream is canceled, many implementations keep processing the request, compute the response, but don’t send it back to the client.” This discrepancy between HTTP/2 stream accounting and backend request handling enables an attacker to flood the server with unbounded concurrent requests over a single connection.
An attacker opens multiple HTTP/2 streams and then rapidly triggers the server to reset them using malformed frames or flow control errors. The protocol’s SETTINGS_MAX_CONCURRENT_STREAMS limit should, in theory, prevent overload. However, once a stream is reset, the HTTP/2 layer no longer counts it toward this limit—while the backend server continues to process it.
This design flaw means that an attacker can maintain a constant flow of “reset” streams, forcing the server to handle far more active requests than intended. The result: high CPU load or memory exhaustion and, ultimately, service disruption.
CERT/CC warns that “threat actors exploiting the vulnerability will likely be able to force targets offline or heavily limit connection possibilities for clients by making the server process an extremely high number of concurrent requests.” Depending on the specific HTTP/2 implementation, the impact may manifest as CPU overload or memory exhaustion, potentially crippling critical services during an attack.
Multiple vendors have already issued patches or advisories addressing MadeYouReset. CERT/CC urges organizations to review vendor statements and apply updates promptly.
They further recommend that developers and maintainers of HTTP/2-based products:
- Limit the number or rate of RST_STREAM frames sent from the server.
- Audit HTTP/2 implementations for backend processing mismatches.
- Explore additional mitigations described in the technical write-up by the vulnerability reporters.
Related Posts:
- HTTP/2 Rapid Reset Attack: HTTP/2 Zero-Day Vulnerability Rocks Cybersecurity World
- Critical Flaws Found in Partner Software: Default Admin Passwords & XSS Allow RCE on Government Systems
- CISA Warns of Credential Risks Tied to Oracle Cloud Breach
- PDQ Deploy Vulnerability Exposes Admin Credentials: CERT/CC Issues Advisory
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
