MadeYouReset: A New HTTP/2 Vulnerability

Security researchers from Tel Aviv University have discovered a critical vulnerability in HTTP/2 implementations that allows attackers to trigger denial-of-service conditions by making servers reset their own connections[^1].

Unlike the 2023 HTTP/2 Rapid Reset attack that relied on clients spamming RST_STREAM frames, MadeYouReset tricks servers into performing the resets themselves through carefully crafted protocol-compliant frames[^1]. The attack exploits four key mechanisms:

• Window-Overflow: Sending WINDOW_UPDATE frames that exceed protocol limits
• Zero-Increment: Using invalid zero-value WINDOW_UPDATE frames
• Half-Closed Stream Abuse: Sending illegal frames on half-closed streams
• Priority-Length Mismatch: Creating malformed PRIORITY frames

The vulnerability (CVE-2025-8671) affects major HTTP/2 implementations including Netty, Jetty, Apache Tomcat, IBM WebSphere, and BIG-IP[^{1]. Over 100 vendors required notification during the coordinated disclosure process[}8].

"Most servers are susceptible to a complete DoS, with a significant number also susceptible to an out-of-memory crash," said researcher Gal Bar Nahum[^8].

Recommended mitigations include:

• Stricter protocol validation
• Enhanced stream state tracking
• Connection-level rate controls
• Behavioral monitoring for protocol violations[^1]

[^{1]: [Imperva - MadeYouReset: Turning HTTP/2 Server Against Itself](https://www.imperva.com/blog/madeyoureset-turning-http-2-server-against-itself/) [}8]: The Register - 'MadeYouReset' HTTP/2 flaw lets attackers DoS servers