MadeYouReset is a newly identified attack technique affecting multiple HTTP/2 implementations, allowing attackers to bypass the 100 concurrent request limit set by servers. By sending thousands of requests, attackers can generate denial-of-service conditions against legitimate users. This issue, with the identifier CVE-2025-8671, impacts various products, including Apache Tomcat and F5 BIG-IP. MadeYouReset builds on previous vulnerabilities like Rapid Reset and leverages RST_STREAM frames to exploit server limitations, potentially leading to service disruptions and out-of-memory crashes.
MadeYouReset bypasses the typical server-imposed limit of 100 concurrent HTTP/2 requests per TCP connection from a client. This limit is intended to mitigate DoS attacks by restricting the number of simultaneous requests a client can send.
With MadeYouReset, an attacker can send many thousands of requests, creating a denial-of-service condition for legitimate users and, in some vendor implementations, escalating into out-of-memory crashes.
MadeYouReset builds upon Rapid Reset and its mitigation, which limits the number of streams a client can cancel using RST_STREAM.
For MadeYouReset to work, the stream must begin with a valid request that the server begins working on, then trigger a stream error so the server emits RST_STREAM while the backend continues computing the response.
Collection
[
|
...
]