HTTP/2 MadeYouReset Vulnerability Enables Massive DDoS Attacks

Security researchers have disclosed a critical vulnerability in the HTTP/2 protocol that could enable massive distributed denial-of-service (DDoS) attacks, potentially affecting millions of web servers worldwide.

The flaw, dubbed “MadeYouReset” and assigned CVE-2025-8671, was publicly disclosed on August 13, 2025, by researchers who warn it could surpass the impact of the devastating “Rapid Reset” attacks from 2023.

Vulnerability Overview

The MadeYouReset vulnerability allows attackers to bypass HTTP/2’s built-in concurrency limits, enabling them to create unbounded concurrent work on target servers with minimal resources.

This represents a significant escalation from traditional DDoS methods, as attackers can overwhelm servers while using far less bandwidth and computational power than conventional attacks.

The research was conducted jointly by security expert Gal Bar-Nahum with Professor Anat Bremler-Barr and Yaniv Harel from Tel Aviv University, with partial support from Imperva.

The vulnerability builds upon the foundation of 2023’s Rapid Reset attack but introduces a clever twist that circumvents the common mitigation strategies deployed after the previous incident.

HTTP/2 includes a parameter called MAX_CONCURRENT_STREAMS, typically set to 100, which limits the number of active streams a client can maintain simultaneously.

This mechanism was designed to prevent server overload from malicious clients opening too many concurrent requests.

The original Rapid Reset attack exploited request cancellation features, allowing attackers to open streams and immediately cancel them using RST_STREAM frames.

While servers continued processing these cancelled requests, they no longer counted toward the concurrency limit, enabling unbounded attack potential.

MadeYouReset takes a different approach entirely. Instead of the client canceling requests, the new technique tricks the server into canceling them automatically.

Researchers identified six different methods to trigger server-initiated RST_STREAM frames while maintaining valid backend processing, completely bypassing the RST_STREAM counting mitigations implemented after Rapid Reset.

The vulnerability affects virtually all HTTP/2-compliant implementations. Testing reveals that most servers can be driven into complete denial of service, with many experiencing out-of-memory crashes.

The attack’s effectiveness depends on server capacity, attacker bandwidth, and target resource complexity, but the asymmetric nature of the attack makes most implementations vulnerable.

Organizations running HTTP/2 servers should immediately review vendor advisories and apply available patches to mitigate this critical vulnerability.

AWS Security Services: 10-Point Executive Checklist - Download for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!