MadeYouReset: A New HTTP/2 Vulnerability
Security researchers from Tel Aviv University have discovered a critical vulnerability in HTTP/2 implementations that allows attackers to trigger denial-of-service conditions by making servers reset their own connections[^1].
Unlike the 2023 HTTP/2 Rapid Reset attack that relied on clients spamming RST_STREAM frames, MadeYouReset tricks servers into performing the resets themselves through carefully crafted protocol-compliant frames[^1]. The attack exploits four key mechanisms:
- Window-Overflow: Sending WINDOW_UPDATE frames that exceed protocol limits
- Zero-Increment: Using invalid zero-value WINDOW_UPDATE frames
- Half-Closed Stream Abuse: Sending illegal frames on half-closed streams
- Priority-Length Mismatch: Creating malformed PRIORITY frames
The vulnerability (CVE-2025-8671) affects major HTTP/2 implementations including Netty, Jetty, Apache Tomcat, IBM WebSphere, and BIG-IP[^1]. Over 100 vendors required notification during the coordinated disclosure process[^8].
"Most servers are susceptible to a complete DoS, with a significant number also susceptible to an out-of-memory crash," said researcher Gal Bar Nahum[^8].
Recommended mitigations include:
- Stricter protocol validation
- Enhanced stream state tracking
- Connection-level rate controls
- Behavioral monitoring for protocol violations[^1]
[^1]: Imperva - MadeYouReset: Turning HTTP/2 Server Against Itself
[^8]: The Register - 'MadeYouReset' HTTP/2 flaw lets attackers DoS servers