Introduction HTTP/2 was designed for performance- faster multiplexed connections, stream prioritization, and header compression. But these same features have also opened the door for sophisticated denial-of-service attacks. Back in 2023, the HTTP/2 Rapid Reset vulnerability made headlines after attackers exploited the protocol’s stream cancellation mechanism to crash large-scale services. Now, in a fascinating new variant […]

MadeYouReset: A New HTTP/2 Vulnerability

Security researchers from Tel Aviv University have discovered a critical vulnerability in HTTP/2 implementations that allows attackers to trigger denial-of-service conditions by making servers reset their own connections[1].

Unlike the 2023 HTTP/2 Rapid Reset attack that relied on clients spamming RST_STREAM frames, MadeYouReset tricks servers into performing the resets themselves through carefully crafted protocol-compliant frames[1:1]. The attack exploits four key mechanisms:

  • Window-Overflow: Sending WINDOW_UPDATE frames that exceed protocol limits
  • Zero-Increment: Using invalid zero-value WINDOW_UPDATE frames
  • Half-Closed Stream Abuse: Sending illegal frames on half-closed streams
  • Priority-Length Mismatch: Creating malformed PRIORITY frames

The vulnerability (CVE-2025-8671) affects major HTTP/2 implementations including Netty, Jetty, Apache Tomcat, IBM WebSphere, and BIG-IP[1:2]. Over 100 vendors required notification during the coordinated disclosure process[2].

“Most servers are susceptible to a complete DoS, with a significant number also susceptible to an out-of-memory crash,” said researcher Gal Bar Nahum[2:1].

Recommended mitigations include:

  • Stricter protocol validation
  • Enhanced stream state tracking
  • Connection-level rate controls
  • Behavioral monitoring for protocol violations[1:3]

  1. Imperva - MadeYouReset: Turning HTTP/2 Server Against Itself ↩︎ ↩︎ ↩︎ ↩︎

  2. The Register - ‘MadeYouReset’ HTTP/2 flaw lets attackers DoS servers ↩︎ ↩︎