oss-sec mailing list archives

Re: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames

From: Nick Tait <ntait () redhat com>
Date: Wed, 20 Aug 2025 15:38:18 -0600

One more was published today:

- Jetty - CVE-2025-5115

https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h

----------

Jetty's Team Notes

Impact
A denial of service vulnerability similar to Rapid Reset, but where the
client triggers a reset from the server by sending a malformed or invalid
frame.
In particular, this may be triggered by WINDOW_UPDATE frames that are
invalid (e.g. with delta==0 or when the delta makes the window exceed
2^31-1).

Patches
Patch has been merged into 12.0.x mainline via #13449.

Workarounds
No workarounds apart disabling HTTP/2.



On Sat, Aug 16, 2025 at 11:30 AM Alan Coopersmith <
alan.coopersmith () oracle com> wrote:

On 8/13/25 11:27, Alan Coopersmith wrote:

https://kb.cert.org/vuls/id/767506 was published today:

HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack
 through HTTP/2 control frames
Vulnerability Note VU#767506
Original Release Date: 2025-08-13 | Last Revised: 2025-08-13

Overview
--------
A vulnerability has been discovered within many HTTP/2 implementations
allowing for denial of service (DoS) attacks through HTTP/2 control

frames.

This vulnerability is colloquially known as "MadeYouReset" and is

tracked

as CVE-2025-8671. Some vendors have assigned a specific CVE to their
products to describe the vulnerability, such as CVE-2025-48989, which is
used to identify Apache Tomcat products affected by the vulnerability.


OSS implementations that have responded (whether affected or not) include:

- Apache Tomcat - CVE-2025-48989
   https://www.openwall.com/lists/oss-security/2025/08/13/2

- h2o - CVE-2025-8671
   https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq

- hyper.rs h2 - CVE-2025-8671
   https://seanmonstar.com/blog/hyper-http2-didnt-madeyoureset/

- ISC BIND - CVE-2025-8671
   https://gitlab.isc.org/isc-projects/bind9/-/issues/5325

- lighttpd - CVE-2025-8671
   https://www.lighttpd.net/2025/8/13/1.4.80/

- Netty - CVE-2025-55163
   https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4

- Varnish - CVE-2025-8671
   https://varnish-cache.org/security/VSV00017.html

--
         -Alan Coopersmith-                 alan.coopersmith () oracle com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Current thread:

HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames Alan Coopersmith (Aug 13)
- Re: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames Alan Coopersmith (Aug 16)
  - Re: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames Nick Tait (Aug 20)