VU#767506: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames
A recently discovered vulnerability, known as "MadeYouReset" (CVE-2025-8671), affects numerous HTTP/2 implementations. This flaw allows denial of service (DoS) attacks by exploiting a mismatch in how stream resets are handled. The vulnerability arises because, while HTTP/2 specifications consider a reset stream closed, many server implementations continue processing the request internally. This discrepancy means that a client can trigger an unbounded number of concurrent requests on a single connection. Attackers can leverage this by rapidly sending reset frames, causing resource exhaustion on the server. The primary impact is the potential for distributed denial of service (DDoS) attacks, leading to server overload or memory exhaustion. While HTTP/2 has a setting for maximum concurrent streams, reset streams are not accounted for within this limit. This vulnerability is similar to the "Rapid Reset" attack (CVE-2023-44487). Several vendors have released patches, and users are advised to apply them. CERT/CC recommends that vendors review their HTTP/2 implementations and limit server-sent RST_STREAMs. Additional mitigation strategies are available from the vulnerability's reporters.