Particle.news
Download on the App Store
5 ARTICLES
·
last wk.

HTTP/2 ‘MadeYouReset’ Flaw Exposes Servers to Stealthy DDoS Attacks

A protocol design gap lets reset commands overload backend processing across diverse HTTP/2 implementations, prompting immediate fixes from major vendors.

MadeYouReset DDoS attack
Image

Overview

  • MadeYouReset (CVE-2025-8671) leverages HTTP/2 control frames to force servers into unbounded processing loops by treating reset streams as closed while backend work continues.
  • The flaw stems from a mismatch between stream-reset semantics and server request handling that allows attackers to bypass SETTINGS_MAX_CONCURRENT_STREAMS limits per connection.
  • Security researchers warn that the tactic can fuel large-scale, hard-to-detect DDoS assaults by blending malicious resets with normal traffic, though no in-the-wild exploitation has been observed to date.
  • Apache Tomcat, F5, Fastly and Varnish have already released patches, and other affected projects are conducting impact assessments and assigning vendor-specific CVEs.
  • CERT/CC and the discovering teams recommend limiting the rate of RST_STREAM frames, auditing HTTP/2 behaviors and consulting supplemental mitigations hosted on GitHub.