“MadeYouReset” HTTP/2 Attack (CVE-2024-45288) How It Puts Revenue, Customers, and Business Continuity at Risk

A new cyberattack called MadeYouReset can crash websites and apps that rely on the HTTP/2 protocol.

What makes it especially dangerous is that it can bypass many existing protections. With a high-severity rating (7.5/10) and evidence of active exploitation in the wild, this is not just a technical issue; it’s a business risk that can cause downtime, revenue loss, and reputational damage if not addressed quickly.

• Revenue Loss: Even short outages during peak hours can lead to missed transactions, failed payments, and financial penalties.
• Customer Experience: Service slowdowns or downtime damage customer confidence and push users toward competitors.
• Operational Disruption: IT teams waste valuable time fighting outages instead of driving business initiatives.
• Regulatory & Contractual Risk: Repeated outages may trigger SLA breaches, compliance failures, and reputational harm with regulators.

MadeYouReset works by sending malicious web requests that force servers to waste resources. Legitimate customers then find apps slow or unavailable, and in severe cases, servers may crash completely.

The critical concern is that traditional defenses, such as traffic rate limits, often fail to stop this attack, making it harder to rely on “business as usual” safeguards.

Any business using modern web or API services with HTTP/2 is likely at risk. Popular platforms, such as F5 BIG-IP, Apache Tomcat, and Netty, which are widely used across industries, have been confirmed as vulnerable. If your business depends on these systems, you may be exposed unless the latest patches are applied.

• Exposure: Are we using HTTP/2 through platforms like F5 BIG-IP, Tomcat, or Netty?
• Patching: Have we applied the vendor fixes or hotfixes? If not, when is it scheduled?
• Interim Protection: Can we temporarily disable HTTP/2 on critical systems or strengthen firewall protections?
• Monitoring: Do we have alerts in place to detect abnormal traffic before it disrupts customers?

• Stability vs. Speed: Temporarily reverting to older protocols like HTTP/1.1 may slow apps slightly but ensures uptime.
• Prioritization: Protect the most critical services first, payments, logins, and core apps, where downtime hits hardest.
• Audit Trail: Keep records of patches, fixes, and monitoring, it matters for customers, regulators, and the board.