HTTP/2 Under Siege: Researchers Reveal Protocol-Compliant DDoS Exploit

A newly discovered vulnerability in the HTTP/2 protocol, dubbed MadeYouReset, poses a serious threat to internet infrastructure. The flaw, revealed by researchers at Tel Aviv University in collaboration with Imperva, allows attackers to launch highly efficient denial-of-service (DoS) attacks without breaking any official protocol rules.

By tricking servers into resetting their connections, attackers can overload them without sending any obvious warning signs.

The vulnerability follows in the footsteps of the infamous Rapid Reset flaw of 2023, but with a twist: this time, the server is tricked into triggering its own failure. This makes the attack more effective and harder to detect using conventional defenses.

HTTP/2 powers over 60% of today’s major websites, making MadeYouReset a priority concern for IT teams and web infrastructure providers globally.

Why It Matters: MadeYouReset takes advantage of internal weaknesses within the HTTP/2 system without breaking any protocol, making it hard for existing security tools to catch. Because it can bring down even robust servers with minimal effort, it’s considered a serious threat. Timely updates and improved security measures are required to protect key websites and online services from these attacks.

• A Sophisticated Evolution of Rapid Reset: While the original RapidReset attack relied on clients rapidly canceling their own requests, MadeYouReset goes further by tricking servers into cancelling requests themselves. What makes this vulnerability particularly dangerous is that the HTTP/2 spec isn’t violated. By using malformed, but technically valid, frames such as WINDOW_UPDATE or PRIORITY with subtle errors, the server ends up resetting its streams. Many existing defenses fail to detect the behavior in time because of this ability to mimic legitimate traffic.

• Silently Bypasses Concurrency Limits: HTTP/2 includes a built-in safeguard that limits clients to 100 active streams per connection. However, MadeYouReset bypasses this limit by exploiting how servers account for stream resets. Even though the server believes a stream is closed, the backend may still be processing it, allowing attackers to overwhelm systems with thousands of hidden concurrent tasks.

• Wide-Ranging Impact and High Risk: Labeled CVE-2025-8671 with a severity score of 7.5, the vulnerability affects a range of widely used HTTP/2 server platforms, including Apache Tomcat, Jetty, Netty, IBM WebSphere, and BIG-IP. While vendors have issued timely fixes, many legacy or patch-awaiting systems remain vulnerable.

• Existing Mitigations Fall Short: Defenses developed for Rapid Reset, such as rate-limiting RST_STREAM frames, detecting excessive stream churn, or downgrading suspicious clients, are largely ineffective here. Since MadeYouReset never sends client-side resets, it avoids tripping those safeguards entirely.

• Urgent Need for Smarter Defensive Strategies: Since this attack doesn’t rely on obvious signals like floods of reset commands, experts are recommending more nuanced measures. These include stricter protocol validation to catch edge-case misuse, better enforcement of stream state transitions, monitoring for abnormal error patterns, and server-level rate controls on protocol violations. Security tools are already being updated to identify and block this behavior more effectively.

Go Deeper -> MadeYouReset – DEEPNESS Lab

MadeYouReset: Turning HTTP/2 Server Against Itself – Imperva

Critical internet flaw discovered: hackers can crash websites with ease – Cybernews