oss-sec mailing list archives

Re: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames


From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Sat, 16 Aug 2025 10:29:50 -0700

On 8/13/25 11:27, Alan Coopersmith wrote:
https://kb.cert.org/vuls/id/767506 was published today:

HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack
 through HTTP/2 control frames
Vulnerability Note VU#767506
Original Release Date: 2025-08-13 | Last Revised: 2025-08-13

Overview
--------
A vulnerability has been discovered within many HTTP/2 implementations
allowing for denial of service (DoS) attacks through HTTP/2 control frames.
This vulnerability is colloquially known as "MadeYouReset" and is tracked
as CVE-2025-8671. Some vendors have assigned a specific CVE to their
products to describe the vulnerability, such as CVE-2025-48989, which is
used to identify Apache Tomcat products affected by the vulnerability.

OSS implementations that have responded (whether affected or not) include:

- Apache Tomcat - CVE-2025-48989
  https://www.openwall.com/lists/oss-security/2025/08/13/2

- h2o - CVE-2025-8671
  https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq

- hyper.rs h2 - CVE-2025-8671
  https://seanmonstar.com/blog/hyper-http2-didnt-madeyoureset/

- ISC BIND - CVE-2025-8671
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5325

- lighttpd - CVE-2025-8671
  https://www.lighttpd.net/2025/8/13/1.4.80/

- Netty - CVE-2025-55163
  https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4

- Varnish - CVE-2025-8671
  https://varnish-cache.org/security/VSV00017.html

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris


Current thread: