Multiple HTTP/2 implementations are known to be susceptible to new attack technology called Madyoureset, which can be investigated to carry out powerful denial of service (DOS) attacks.
“Madyoureset bypasses a typical server-imposed limit of 100 simultaneous HTTP/2 requests per TCP connection from a client. This limit is intended to mitigate DOS attacks by limiting the number of concurrent requests that a client can send.”
“With Madyoureset, attackers can send thousands of requests, create denial of service conditions for legal users, and in some vendor implementations, they can escalate to out-of-memory crashes.”
The vulnerability has been assigned the generic CVE identifier CVE-2025-8671, but the issue affects several products, such as Apache Tomcat (CVE-2025-48989), F5 Big-IP (CVE-2025-54500), and Netty (CVE-2025-55163).
Madyoureset is the latest flaw in HTTP/2 after a rapid reset (CVE-2023-44487) and the continued flooding of HTTP/2, and could potentially be weaponized to set up a massive DOS attack.
Just as how two other attacks leverage RST_STREAM and continuation frames, respectively, in the HTTP/2 protocol, to elicit attacks, MadeUoureset is built on the Rapid reset and its mitigation, limiting the number of streams that clients can cancel using RST_STREAM.
Specifically, it takes advantage of the fact that the RST_STREAM frame is used for both the cancellation and stream error signal discovered by the client. This is achieved by sending carefully crafted frames that trigger protocol violations in unexpected ways, and issuing RST_STREAM to prompt the server to reset the stream.
“For Madyoureset to work, the stream must start with a valid request that the server starts working. It then triggers a stream error so that the server emistes RST_Stream while the backend continues to calculate the response,” explained Bar Nahum.
“You can send RST_STREAM to the server for streams that already post valid requests by creating a specific invalid control frame or violating the protocol sequence at the appropriate moment.”
Contains 6 primitives that send RST_STREAM frames to the server –
The window_update frame is not a priority frame with increments of 0Riority frames that are not of length 5. This will result in streams that rely on the window_update frame with increments that the window exceeds 2^31-1 (the maximum window size that allows for the maximum window size).
This attack is particularly noteworthy as it removes the need for attackers to send RST_STREAM frames, thereby completely bypassing quick reset mitigation and achieving the same impact as the latter.
In the advisory, CERT COORDINATION CENTER (CERT/CC) states that Madyoureset exploits the inconsistencies caused by stream resets between the HTTP/2 specification and the internal architecture of many real-world web servers, resulting in resource exhaustion.
“The discovery of server-triggered rapid reset vulnerabilities highlights the evolving complexity of modern protocol abuse,” Imperva said. “Since HTTP/2 remains the foundation of web infrastructure, protecting against subtle, spec-compliant attacks like Madyoureset is more important than ever.”
http/1.1 must die
Madyoureset’s disclosure will detail the detailed new HTTP/1.1 DESYNC attack (aka HTTP request smuggling) of application security company Portswigger, exposing millions of websites to hostile takeovers, including a variant of Cl.0 called 0.cl. Akamai (CVE-2025-32094) and CloudFlare (CVE-2025-4366) address this issue.
HTTP Request Smuggling is a security exploit that affects application layer protocols that abuse inconsistencies when parsing non-RFC-compliant HTTP requests by front-end and back-end servers, allowing attackers to “smuggle” requests and side-step security measures.
“HTTP/1.1 has a fatal flaw. Attackers can create extreme ambiguity as to where one request ends, allowing the next request to begin.” “HTTP/2+ eliminates this ambiguity and makes DESYNC attacks virtually impossible. However, enabling HTTP/2 on the Edge server is not enough. It should be used for reverse proxy and upstream connections with the Origin server.”
Source link
