https://deepness-lab.org/publications/madeyoureset/
Security researchers have discovered a critical new HTTP/2 vulnerability called MadeYouReset that enables attackers to bypass standard server connection limits and launch devastating denial-of-service attacks against web infrastructure. The attack circumvents the typical server-imposed limit of 100 concurrent HTTP/2 requests per TCP connection, allowing malicious actors to send thousands of requests that can overwhelm legitimate users and potentially crash vulnerable server implementations through out-of-memory conditions.
The vulnerability, tracked under the generic identifier CVE-2025-8671, affects multiple widely-used products including Apache Tomcat, F5 BIG-IP, and Netty, each assigned their own specific CVE numbers. MadeYouReset represents the latest in a series of HTTP/2 protocol exploitation techniques following Rapid Reset and HTTP/2 CONTINUATION Flood attacks, but distinguishes itself by building upon existing Rapid Reset mitigations in an unexpected way. The attack exploits the dual nature of RST_STREAM frames, which are used both for client-initiated stream cancellation and server-initiated error signaling, by sending carefully crafted invalid frames that trigger protocol violations and force servers to reset streams while backend systems continue processing requests.
The attack operates through six specific primitives that manipulate various HTTP/2 frame types to induce server-generated RST_STREAM responses, including sending WINDOW_UPDATE frames with zero increments, malformed PRIORITY frames, and DATA frames sent after stream closure. This technique is particularly concerning because it completely bypasses existing Rapid Reset mitigations without requiring attackers to send RST_STREAM frames themselves, effectively achieving the same devastating impact as previous HTTP/2 attacks while evading current protective measures. The discovery highlights the ongoing evolution of protocol-level attacks against web infrastructure, with security experts emphasizing the critical need for comprehensive HTTP/2 protections as the protocol remains foundational to modern web architecture and continues to face increasingly sophisticated exploitation techniques.