A new and highly potent vulnerability in the HTTP/2 protocol, dubbed “MadeYouReset,” has been discovered, raising alarms across the cybersecurity community. This flaw, which affects numerous popular web server implementations, enables attackers to launch powerful distributed denial-of-service (DDoS) attacks that can exhaust server resources and lead to service outages. The vulnerability is being tracked under the identifier CVE-2025-8671.
This new attack is a stealthy evolution of a previous flaw, the “Rapid Reset” vulnerability (CVE-2023-44487), which made headlines in 2023 for being exploited in some of the largest DDoS attacks ever recorded. Rapid Reset worked by having a client rapidly open and cancel a high volume of HTTP/2 streams, overwhelming a server’s ability to process them. In response, many organizations implemented mitigations like rate-limiting the number of stream resets a client could issue.
The MadeYouReset attack, however, cleverly bypasses these defenses. Instead of the attacker directly sending “reset” commands, they send seemingly normal-looking HTTP/2 frames that contain subtle violations of the protocol’s rules. These violations, such as sending a WINDOW_UPDATE frame with a value of zero or a PRIORITY frame of the wrong size, force the server to detect an error and reset the stream itself. This “self-inflicted” reset tricks the server into thinking it has freed up resources while, in reality, it’s still burning CPU and memory to process the underlying request, creating a resource-exhaustion loop.
Experts warn that MadeYouReset is particularly dangerous because it’s difficult to detect. The traffic appears legitimate, and since the server is the one issuing the resets, the malicious activity flies under the radar of most existing protections that are designed to spot client-initiated abuses. This makes it possible for a single attacker on one machine to cause significant disruption.
Patches have been released by several major vendors, including Apache Tomcat, F5, Fastly, and Netty. Organizations are being urged to apply these security updates immediately to protect their systems. Additionally, security professionals recommend implementing stricter monitoring for unusual patterns, such as a high rate of server-initiated resets or protocol errors, to catch and mitigate potential attacks. The discovery of MadeYouReset highlights the ongoing need for vigilance and a proactive approach to security in the face of evolving cyber threats.
