Researchers have discovered a new severe flaw in HTTP/2, the main protocol powering the modern internet. Hackers can launch previously unseen DDoS attacks by sending unlimited requests from every bot they control, exhausting server resources.
Hackers just received a new way to crash web servers with ease.
Security researchers at Tel Aviv University have discovered a massive protocol flaw that lets attackers flood servers with unlimited requests, consuming resources and ultimately causing crashes.
They dubbed the vulnerability “MadeYouReset” because it builds on the “Rapid Reset” flaw, which has been causing the largest DDoS attacks we have ever seen since its discovery in 2023.
In a neat twist, the new vulnerability slips past the usual mitigation, according to discoverer Gal Bar Nahum, a Master’s student in Computer Science at Tel Aviv University.
The severe flaw has been assigned the CVE-2025-8671 label and has a high severity rating of 7.5 out of 10.
“By opening streams and then rapidly triggering the server to reset them – using malformed frames or flow control errors – an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection,” the description reads.
How can the vulnerability be exploited?
The HTTP/2 protocol has an inbuilt concurrency protection mechanism that is supposed to limit the number of requests one client can open. This parameter is called MAX_CONCURRENT_STREAMS and is usually set to 100 streams, the default value.
However, the protocol also has a request cancellation feature, which allows clients to tell servers that they no longer need a response to the request they’ve sent. Cancelled requests do not count towards the limit.
DDoS attackers have been abusing this feature by exploiting the “Rapid Reset” vulnerability: rapidly cancelling requests and sending new ones, overwhelming the server.
“In theory, canceling a stream should instruct the server to stop working on the HTTP request and abort sending a response – even if it was already calculated – to avoid wasting server resources and bandwidth. However, in practice, on many servers and implementations, request cancellation only aborts sending the response to the client once it's computed,” Nahum explains.
This flaw was mitigated by limiting the number of requests the client can cancel (the number of RST_STREAM frames the client can send).
The new MadeYouReset flaw introduces a novel approach: forcing the server to cancel requests for the attacker.
Hackers can trick servers by sending invalid control frames or violating protocol sequencing at just the right moment.
“We can make the server send RST_STREAM for a stream that already carried a valid request,” the researcher explains.
“I found six such ‘make the server send RST_STREAM’ primitives defined by the RFC, so they apply to any RFC‑compliant implementation.”
So the attacker doesn’t need to send a single RST_STREAM frame, never reaching the limit. They can exploit this mismatch by opening new requests while the backend processing continues for the old ones.
Most affected servers are vulnerable to DDoS attacks, which can exhaust both the bandwidth and the computing power.
“A very strong server could withstand an attack from a weak attacker. However, from my tests, due to the asymmetric nature of sending a request versus computing a response – and the fact that the attacker can easily create an unbounded number of active requests – most servers are susceptible to a complete DoS, with a significant number also susceptible to an out‑of‑memory (OOM) crash,” the researcher said.
Fixes are being released
It is likely that many web servers remain unpatched and vulnerable to potential attacks. Most HTTP/2 servers and major systems, including Netty, Jetty, and Apache Tomcat, are affected.
The researchers ethically disclosed the flaw to the watchdogs and vendors in advance, and they had some time to prepare. Various vendors are now releasing patches and issuing statements on how to address the vulnerability.
SUSE, the company behind the enterprise Linux distribution, has updated several upstream projects with a fix for the issue and has also provided patches that allow the flaw to be addressed in versions of their software shipped with SUSE products.
Varnish Cache, a popular web accelerator, released security patches for the vulnerability affecting versions 5.x through 7.7.1. The company is advising users who can’t upgrade to disable HTTP/2 support entirely as a temporary mitigation.
Fastly, a major content delivery network, deployed a fix across its entire network by June 2nd, requiring no action from customers. The company said it received a pre-release report on May 13th.
Netty, a popular Java networking framework, released version 4.2.4.Final specifically to address the MadeYouReset flaw.
The advisory states that Apache Tomcat, an open-source web server, was fixed with a commit two weeks ago. However, Red Hat, a software company behind enterprise Linux distribution, warns Apache Tomcat users that “no mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.”
Your email address will not be published. Required fields are markedmarked