F5 BIG-IP, a widely used application delivery controller, was identified as vulnerable to the **MadeYouReset (CVE-2025-8671)** HTTP/2 denial-of-service (DoS) flaw. This exploit allows attackers to bypass concurrency limits by tricking servers into issuing **RST_STREAM** frames, overwhelming backend systems with unbounded phantom requests. The vulnerability leads to **resource exhaustion**, causing severe performance degradation, system crashes, or complete outages due to out-of-memory conditions. Given BIG-IP’s role in load balancing and traffic management for critical enterprise and cloud infrastructures, an attack could disrupt high-traffic services, financial transactions, or government portals. While no data breach was reported, the **operational impact** is severe, potentially halting business continuity, damaging reputation, and incurring financial losses from downtime. Mitigation requires urgent patching (CVE-2025-54500) or reducing **MAX_CONCURRENT_STREAMS**, but unpatched systems remain at high risk of large-scale DDoS attacks.
Source: https://cybersecuritynews.com/http-2-madeyoureset-vulnerability/
TPRM report: https://www.rankiteo.com/company/f5
"id": "f5749081525",
"linkid": "f5",
"type": "Vulnerability",
"date": "8/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Software Development',
'name': 'Netty',
'type': 'Open-Source Project'},
{'industry': 'Software Development',
'name': 'Apache Tomcat',
'type': 'Open-Source Project'},
{'industry': 'Networking/Load Balancing',
'location': 'Seattle, Washington, USA',
'name': 'F5 Networks (BIG-IP)',
'type': 'Corporation'},
{'industry': 'Software Development',
'name': 'H2O',
'type': 'Open-Source Project'},
{'industry': 'Software Development',
'name': 'Swift-NIO-HTTP2',
'type': 'Open-Source Project'},
{'industry': ['Technology',
'Web Services',
'Networking'],
'location': 'Global',
'name': '100+ Vendors (Coordinated via CERT/CC)',
'type': ['Corporations', 'Open-Source Projects']}],
'attack_vector': ['Network',
'Protocol Manipulation (HTTP/2)',
'Resource Exhaustion'],
'customer_advisories': ['Apply Patches Immediately',
'Monitor for Attack Signatures'],
'date_publicly_disclosed': '2025-08-13',
'description': 'Security researchers identified a new denial-of-service (DoS) '
'vulnerability in HTTP/2 implementations, dubbed '
"'MadeYouReset' (CVE-2025-8671). This flaw allows attackers to "
'bypass concurrency limits by tricking servers into issuing '
'RST_STREAM frames, overwhelming systems with unbounded '
'concurrent requests and potentially crashing them through '
"resource exhaustion. MadeYouReset builds on the 2023 'Rapid "
"Reset' vulnerability (CVE-2023-44487), exploiting HTTP/2’s "
'stream cancellation mechanism more effectively by evading '
'mitigations like RST_STREAM frame limits. Attackers can '
'induce server-side resets via RFC-compliant primitives, '
'ensuring backend processing persists while streams appear '
'closed, enabling high-impact DDoS attacks with minimal '
'attacker resources.',
'impact': {'brand_reputation_impact': ['Potential Loss of Trust in Affected '
'Vendors',
'Negative Publicity for HTTP/2 '
'Security'],
'downtime': ['Full Denial-of-Service (DoS) for Affected Systems',
'Potential System Crashes (Out-of-Memory)',
'Performance Degradation'],
'operational_impact': ['Service Disruption',
'Resource Exhaustion (CPU/Memory/I/O)',
'Increased Latency'],
'systems_affected': ['Web Servers',
'HTTP/2 Implementations',
'Backend Processing Systems']},
'investigation_status': 'Ongoing (Public Disclosure Phase; Vendors Releasing '
'Patches)',
'lessons_learned': ['HTTP/2 Protocol Asymmetries Persist: Request Sending is '
'Cheap, Processing is Expensive',
'Mitigations for Prior Vulnerabilities (e.g., Rapid '
'Reset) Can Be Bypassed via Protocol Manipulation',
'Rate-Limiting Server-Side Resets is Critical for DoS '
'Protection',
'Ongoing Protocol Refinements Are Necessary to Counter '
'Evolving Threats'],
'motivation': ['Disruption',
'DDoS-for-Hire',
'Cybercrime',
'Hacktivism (Potential)'],
'post_incident_analysis': {'corrective_actions': ['Protocol-Level Fixes '
'(e.g., HTTP/2 Errata or '
'HTTP/3 Adoption)',
'Enhanced Rate-Limiting for '
'Server Resets',
'Improved Concurrency '
'Accounting in HTTP/2 '
'Stacks',
'Proactive Monitoring for '
'Protocol Abuse'],
'root_causes': ['HTTP/2 Protocol Design Flaw: '
'Asymmetric Cost Between Request '
'Sending and Processing',
'Inadequate Safeguards for '
'Server-Issued RST_STREAM Frames',
'Over-Reliance on Client-Side '
'RST_STREAM Limits (Bypassed via '
'Server-Side Tricks)',
'Lack of Granular Concurrency '
'Controls in HTTP/2 '
'Implementations']},
'recommendations': ['Immediately Patch Affected HTTP/2 Implementations (e.g., '
'Netty, Apache Tomcat, F5 BIG-IP, H2O, Swift-NIO-HTTP2)',
'Implement Rate-Limiting on Server-Issued RST_STREAM '
'Frames',
'Reduce MAX_CONCURRENT_STREAMS Limits as a Temporary '
'Mitigation',
'Monitor for Anomalous RST_STREAM Patterns and '
'Concurrency Limit Violations',
'Adopt Defense-in-Depth Strategies (e.g., WAF Rules for '
'HTTP/2 Abuse, Botnet Mitigation)',
'Participate in Coordinated Vulnerability Disclosure '
'Programs (e.g., CERT/CC)',
'Evaluate HTTP/3 (QUIC) as a Long-Term Alternative to '
'HTTP/2 for Resilience'],
'references': [{'source': 'CVE-2025-8671 (MadeYouReset) Advisory'},
{'source': 'CERT/CC Vulnerability Note (Coordinated '
'Disclosure)'},
{'source': 'Netty Security Advisory (CVE-2025-55163)'},
{'source': 'Apache Tomcat Security Advisory (CVE-2025-48989)'},
{'source': 'F5 BIG-IP Security Advisory (CVE-2025-54500)'},
{'source': 'Research Paper/Technical Analysis on '
'MadeYouReset'}],
'regulatory_compliance': {'regulatory_notifications': ['CERT/CC '
'Coordination']},
'response': {'communication_strategy': ['Public Disclosure (2025-08-13)',
'Vendor Advisories'],
'containment_measures': ['Reduce MAX_CONCURRENT_STREAMS Limit',
'Monitor Anomalous RST_STREAM Patterns',
'Rate-Limiting on Server Resets'],
'enhanced_monitoring': ['Monitor RST_STREAM Frames',
'Track Concurrency Limit Violations'],
'incident_response_plan_activated': ['Vendor-Coordinated '
'Disclosure (CERT/CC)',
'Patch Development'],
'remediation_measures': ['Apply Vendor-Supplied Patches (e.g., '
'Netty CVE-2025-55163, Apache Tomcat '
'CVE-2025-48989, F5 BIG-IP '
'CVE-2025-54500)',
'Update to Fixed HTTP/2 '
'Implementations'],
'third_party_assistance': ['CERT/CC Coordination']},
'stakeholder_advisories': ['Vendor Security Advisories',
'CERT/CC Notification'],
'title': 'MadeYouReset HTTP/2 Denial-of-Service (DoS) Vulnerability '
'(CVE-2025-8671)',
'type': ['Denial-of-Service (DoS)',
'Vulnerability Exploitation',
'Distributed Denial-of-Service (DDoS)'],
'vulnerability_exploited': ['CVE-2025-8671 (MadeYouReset)',
'HTTP/2 Protocol Flaw (RST_STREAM Abuse)',
'Concurrency Limit Bypass']}