Security researchers have identified a vulnerability in HTTP/2 named MadeYouReset that enables unbounded concurrent work on servers, leading to potential Denial of Service attacks. This flaw bypasses existing concurrency limits that should restrict server workload. It extends a previously disclosed vulnerability known as Rapid Reset, which remains unaddressed. The official identifier for this vulnerability is CVE-2025-8671. HTTP/2, being widely used despite the existence of its successor HTTP/3, is impacted, prompting coordinated disclosure efforts with numerous vendor notifications.
During recent research into HTTP/2, I found a DoS vulnerability I named MadeYouReset. It lets an attacker create effectively unbounded concurrent work on servers while bypassing HTTP/2's built‑in concurrency limit.
The flaw has been given the official identifier CVE-2025-8671 and extends the earlier CVE-2023-44487 'Rapid Reset' vulnerability first disclosed in 2023 - which is, apparently, not yet fully fixed.
Collection
[
|
...
]