F5

F5

F5 BIG-IP, a widely used application delivery controller, was identified as vulnerable to the **MadeYouReset (CVE-2025-8671)** HTTP/2 denial-of-service (DoS) flaw. This exploit allows attackers to bypass concurrency limits by tricking servers into issuing **RST_STREAM** frames, overwhelming backend systems with unbounded phantom requests. The vulnerability leads to **resource exhaustion**, causing severe performance degradation, system crashes, or complete outages due to out-of-memory conditions. Given BIG-IP’s role in load balancing and traffic management for critical enterprise and cloud infrastructures, an attack could disrupt high-traffic services, financial transactions, or government portals. While no data breach was reported, the **operational impact** is severe, potentially halting business continuity, damaging reputation, and incurring financial losses from downtime. Mitigation requires urgent patching (CVE-2025-54500) or reducing **MAX_CONCURRENT_STREAMS**, but unpatched systems remain at high risk of large-scale DDoS attacks.

Source: https://cybersecuritynews.com/http-2-madeyoureset-vulnerability/

TPRM report: https://www.rankiteo.com/company/f5

"id": "f5749081525",
"linkid": "f5",
"type": "Vulnerability",
"date": "8/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Software Development',
                        'name': 'Netty',
                        'type': 'Open-Source Project'},
                       {'industry': 'Software Development',
                        'name': 'Apache Tomcat',
                        'type': 'Open-Source Project'},
                       {'industry': 'Networking/Load Balancing',
                        'location': 'Seattle, Washington, USA',
                        'name': 'F5 Networks (BIG-IP)',
                        'type': 'Corporation'},
                       {'industry': 'Software Development',
                        'name': 'H2O',
                        'type': 'Open-Source Project'},
                       {'industry': 'Software Development',
                        'name': 'Swift-NIO-HTTP2',
                        'type': 'Open-Source Project'},
                       {'industry': ['Technology',
                                     'Web Services',
                                     'Networking'],
                        'location': 'Global',
                        'name': '100+ Vendors (Coordinated via CERT/CC)',
                        'type': ['Corporations', 'Open-Source Projects']}],
 'attack_vector': ['Network',
                   'Protocol Manipulation (HTTP/2)',
                   'Resource Exhaustion'],
 'customer_advisories': ['Apply Patches Immediately',
                         'Monitor for Attack Signatures'],
 'date_publicly_disclosed': '2025-08-13',
 'description': 'Security researchers identified a new denial-of-service (DoS) '
                'vulnerability in HTTP/2 implementations, dubbed '
                "'MadeYouReset' (CVE-2025-8671). This flaw allows attackers to "
                'bypass concurrency limits by tricking servers into issuing '
                'RST_STREAM frames, overwhelming systems with unbounded '
                'concurrent requests and potentially crashing them through '
                "resource exhaustion. MadeYouReset builds on the 2023 'Rapid "
                "Reset' vulnerability (CVE-2023-44487), exploiting HTTP/2’s "
                'stream cancellation mechanism more effectively by evading '
                'mitigations like RST_STREAM frame limits. Attackers can '
                'induce server-side resets via RFC-compliant primitives, '
                'ensuring backend processing persists while streams appear '
                'closed, enabling high-impact DDoS attacks with minimal '
                'attacker resources.',
 'impact': {'brand_reputation_impact': ['Potential Loss of Trust in Affected '
                                        'Vendors',
                                        'Negative Publicity for HTTP/2 '
                                        'Security'],
            'downtime': ['Full Denial-of-Service (DoS) for Affected Systems',
                         'Potential System Crashes (Out-of-Memory)',
                         'Performance Degradation'],
            'operational_impact': ['Service Disruption',
                                   'Resource Exhaustion (CPU/Memory/I/O)',
                                   'Increased Latency'],
            'systems_affected': ['Web Servers',
                                 'HTTP/2 Implementations',
                                 'Backend Processing Systems']},
 'investigation_status': 'Ongoing (Public Disclosure Phase; Vendors Releasing '
                         'Patches)',
 'lessons_learned': ['HTTP/2 Protocol Asymmetries Persist: Request Sending is '
                     'Cheap, Processing is Expensive',
                     'Mitigations for Prior Vulnerabilities (e.g., Rapid '
                     'Reset) Can Be Bypassed via Protocol Manipulation',
                     'Rate-Limiting Server-Side Resets is Critical for DoS '
                     'Protection',
                     'Ongoing Protocol Refinements Are Necessary to Counter '
                     'Evolving Threats'],
 'motivation': ['Disruption',
                'DDoS-for-Hire',
                'Cybercrime',
                'Hacktivism (Potential)'],
 'post_incident_analysis': {'corrective_actions': ['Protocol-Level Fixes '
                                                   '(e.g., HTTP/2 Errata or '
                                                   'HTTP/3 Adoption)',
                                                   'Enhanced Rate-Limiting for '
                                                   'Server Resets',
                                                   'Improved Concurrency '
                                                   'Accounting in HTTP/2 '
                                                   'Stacks',
                                                   'Proactive Monitoring for '
                                                   'Protocol Abuse'],
                            'root_causes': ['HTTP/2 Protocol Design Flaw: '
                                            'Asymmetric Cost Between Request '
                                            'Sending and Processing',
                                            'Inadequate Safeguards for '
                                            'Server-Issued RST_STREAM Frames',
                                            'Over-Reliance on Client-Side '
                                            'RST_STREAM Limits (Bypassed via '
                                            'Server-Side Tricks)',
                                            'Lack of Granular Concurrency '
                                            'Controls in HTTP/2 '
                                            'Implementations']},
 'recommendations': ['Immediately Patch Affected HTTP/2 Implementations (e.g., '
                     'Netty, Apache Tomcat, F5 BIG-IP, H2O, Swift-NIO-HTTP2)',
                     'Implement Rate-Limiting on Server-Issued RST_STREAM '
                     'Frames',
                     'Reduce MAX_CONCURRENT_STREAMS Limits as a Temporary '
                     'Mitigation',
                     'Monitor for Anomalous RST_STREAM Patterns and '
                     'Concurrency Limit Violations',
                     'Adopt Defense-in-Depth Strategies (e.g., WAF Rules for '
                     'HTTP/2 Abuse, Botnet Mitigation)',
                     'Participate in Coordinated Vulnerability Disclosure '
                     'Programs (e.g., CERT/CC)',
                     'Evaluate HTTP/3 (QUIC) as a Long-Term Alternative to '
                     'HTTP/2 for Resilience'],
 'references': [{'source': 'CVE-2025-8671 (MadeYouReset) Advisory'},
                {'source': 'CERT/CC Vulnerability Note (Coordinated '
                           'Disclosure)'},
                {'source': 'Netty Security Advisory (CVE-2025-55163)'},
                {'source': 'Apache Tomcat Security Advisory (CVE-2025-48989)'},
                {'source': 'F5 BIG-IP Security Advisory (CVE-2025-54500)'},
                {'source': 'Research Paper/Technical Analysis on '
                           'MadeYouReset'}],
 'regulatory_compliance': {'regulatory_notifications': ['CERT/CC '
                                                        'Coordination']},
 'response': {'communication_strategy': ['Public Disclosure (2025-08-13)',
                                         'Vendor Advisories'],
              'containment_measures': ['Reduce MAX_CONCURRENT_STREAMS Limit',
                                       'Monitor Anomalous RST_STREAM Patterns',
                                       'Rate-Limiting on Server Resets'],
              'enhanced_monitoring': ['Monitor RST_STREAM Frames',
                                      'Track Concurrency Limit Violations'],
              'incident_response_plan_activated': ['Vendor-Coordinated '
                                                   'Disclosure (CERT/CC)',
                                                   'Patch Development'],
              'remediation_measures': ['Apply Vendor-Supplied Patches (e.g., '
                                       'Netty CVE-2025-55163, Apache Tomcat '
                                       'CVE-2025-48989, F5 BIG-IP '
                                       'CVE-2025-54500)',
                                       'Update to Fixed HTTP/2 '
                                       'Implementations'],
              'third_party_assistance': ['CERT/CC Coordination']},
 'stakeholder_advisories': ['Vendor Security Advisories',
                            'CERT/CC Notification'],
 'title': 'MadeYouReset HTTP/2 Denial-of-Service (DoS) Vulnerability '
          '(CVE-2025-8671)',
 'type': ['Denial-of-Service (DoS)',
          'Vulnerability Exploitation',
          'Distributed Denial-of-Service (DDoS)'],
 'vulnerability_exploited': ['CVE-2025-8671 (MadeYouReset)',
                             'HTTP/2 Protocol Flaw (RST_STREAM Abuse)',
                             'Concurrency Limit Bypass']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.