Re: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames

[Alan Coopersmith <alan.coopersmith () oracle com>]

On 8/13/25 11:27, Alan Coopersmith wrote:
> https://kb.cert.org/vuls/id/767506 was published today:
>
> > HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack
> >  through HTTP/2 control frames
> > Vulnerability Note VU#767506
> > Original Release Date: 2025-08-13 | Last Revised: 2025-08-13
> >
> > Overview
> > --------
> > A vulnerability has been discovered within many HTTP/2 implementations
> > allowing for denial of service (DoS) attacks through HTTP/2 control frames.
> > This vulnerability is colloquially known as "MadeYouReset" and is tracked
> > as CVE-2025-8671. Some vendors have assigned a specific CVE to their
> > products to describe the vulnerability, such as CVE-2025-48989, which is
> > used to identify Apache Tomcat products affected by the vulnerability.

OSS implementations that have responded (whether affected or not) include:

- Apache Tomcat - CVE-2025-48989
  https://www.openwall.com/lists/oss-security/2025/08/13/2

- h2o - CVE-2025-8671
  https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq

- hyper.rs h2 - CVE-2025-8671
  https://seanmonstar.com/blog/hyper-http2-didnt-madeyoureset/

- ISC BIND - CVE-2025-8671
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5325

- lighttpd - CVE-2025-8671
  https://www.lighttpd.net/2025/8/13/1.4.80/

- Netty - CVE-2025-55163
  https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4

- Varnish - CVE-2025-8671
  https://varnish-cache.org/security/VSV00017.html

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris