
oss-sec mailing list archives
Re: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Sat, 16 Aug 2025 10:29:50 -0700
On 8/13/25 11:27, Alan Coopersmith wrote:
https://kb.cert.org/vuls/id/767506 was published today:HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames Vulnerability Note VU#767506 Original Release Date: 2025-08-13 | Last Revised: 2025-08-13 Overview -------- A vulnerability has been discovered within many HTTP/2 implementations allowing for denial of service (DoS) attacks through HTTP/2 control frames. This vulnerability is colloquially known as "MadeYouReset" and is tracked as CVE-2025-8671. Some vendors have assigned a specific CVE to their products to describe the vulnerability, such as CVE-2025-48989, which is used to identify Apache Tomcat products affected by the vulnerability.
OSS implementations that have responded (whether affected or not) include: - Apache Tomcat - CVE-2025-48989 https://www.openwall.com/lists/oss-security/2025/08/13/2 - h2o - CVE-2025-8671 https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq - hyper.rs h2 - CVE-2025-8671 https://seanmonstar.com/blog/hyper-http2-didnt-madeyoureset/ - ISC BIND - CVE-2025-8671 https://gitlab.isc.org/isc-projects/bind9/-/issues/5325 - lighttpd - CVE-2025-8671 https://www.lighttpd.net/2025/8/13/1.4.80/ - Netty - CVE-2025-55163 https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4 - Varnish - CVE-2025-8671 https://varnish-cache.org/security/VSV00017.html -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames Alan Coopersmith (Aug 13)
- Re: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames Alan Coopersmith (Aug 16)