Fastly, a leading edge cloud computing and content delivery network (CDN) provider, was identified as one of the major vendors affected by CVE-2025-8671 (MadeYouReset), a critical HTTP/2 protocol-level vulnerability. The flaw allows threat actors to exploit server-sent stream resets, enabling devastating denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. By manipulating HTTP/2 stream cancellation mechanisms, attackers force Fastly’s infrastructure to process an unbounded number of requests while bypassing concurrency limits, leading to severe CPU and memory exhaustion.The vulnerability stems from a mismatch between HTTP/2’s specification and real-world implementations, where reset streams are marked as inactive in protocol accounting but continue consuming backend resources. For Fastly, which powers high-traffic websites, APIs, and streaming services, this could result in catastrophic outages, disrupting global digital services, e-commerce platforms, and real-time applications reliant on its CDN. Prolonged exploitation might degrade performance for end-users, trigger financial losses for dependent businesses, and erode customer trust in Fastly’s reliability.While Fastly has likely released patches, unpatched systems remain at risk of large-scale disruptions, particularly if targeted by state-sponsored or criminal hacking groups seeking to weaponize the flaw against critical infrastructure. The vulnerability’s potential to halt or degrade internet-facing services positions it as a high-stakes threat to Fastly’s operational integrity and its clients’ digital continuity.
Source: https://gbhackers.com/denial-of-service-attacks/
TPRM report: https://www.rankiteo.com/company/fastly
"id": "fas0592505110625",
"linkid": "fastly",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology',
'name': 'Apache Tomcat',
'type': ['Web Server', 'HTTP/2 Implementation']},
{'industry': 'Technology',
'name': 'Mozilla',
'type': ['Browser Vendor', 'HTTP/2 Implementation']},
{'industry': 'Technology',
'name': 'Red Hat',
'type': ['Enterprise Software',
'HTTP/2 Implementation']},
{'industry': 'Technology',
'name': 'SUSE Linux',
'type': ['Operating System', 'HTTP/2 Implementation']},
{'industry': 'Technology',
'name': 'Netty',
'type': ['Networking Framework',
'HTTP/2 Implementation']},
{'industry': 'Technology',
'name': 'gRPC',
'type': ['RPC Framework', 'HTTP/2 Implementation']},
{'industry': 'Technology',
'name': 'Fastly',
'type': ['CDN/Edge Computing',
'HTTP/2 Implementation']},
{'industry': 'Technology',
'name': 'Varnish Software',
'type': ['Caching Solution', 'HTTP/2 Implementation']},
{'industry': 'Technology',
'name': 'Eclipse Foundation',
'type': ['Open-Source Projects',
'HTTP/2 Implementation']},
{'industry': 'Technology',
'name': 'AMPHP',
'type': ['PHP Async Framework',
'HTTP/2 Implementation']}],
'attack_vector': ['Network', 'Protocol Manipulation (HTTP/2 Stream Resets)'],
'customer_advisories': ['Urgent Patching Required',
'Monitor for DDoS Indicators'],
'description': "A critical vulnerability (CVE-2025-8671, aka 'MadeYouReset') "
'was discovered in numerous HTTP/2 implementations, enabling '
'threat actors to orchestrate denial-of-service (DoS) and '
'distributed denial-of-service (DDoS) attacks. The flaw '
'exploits a mismatch between the HTTP/2 specification and '
'server implementations, abusing server-sent stream resets to '
'create resource exhaustion. Attackers manipulate stream '
'cancellation features to force servers into processing '
'unbounded HTTP/2 requests, bypassing the '
'SETTINGS_MAX_CONCURRENT_STREAMS safeguard. This leads to '
'catastrophic CPU/memory overload. The vulnerability resembles '
"CVE-2023-44487 ('Rapid Reset') and affects major vendors like "
'Apache Tomcat, Mozilla, Red Hat, Netty, gRPC, Fastly, and '
'others. Patches and mitigations (e.g., stricter RST_STREAM '
'frame limits) are recommended.',
'impact': {'brand_reputation_impact': ['Potential Loss of Trust in Affected '
'Vendors'],
'downtime': ['Potential Catastrophic Outages (CPU/Memory '
'Exhaustion)'],
'operational_impact': ['Service Degradation',
'Complete System Failures'],
'systems_affected': ['HTTP/2 Servers', 'Backend Infrastructure']},
'investigation_status': 'Ongoing (Patches Released; Mitigations Recommended)',
'lessons_learned': ['HTTP/2 implementations systematically fail to account '
'for stream reset lifecycle management.',
'Protocol-level vulnerabilities can have widespread '
'impact across vendors.',
'Rate-limiting and input validation are critical for '
'mitigating DoS risks in modern protocols.'],
'motivation': ['Disruption of Services',
'Exploitation of Unpatched Systems',
'Large-Scale DDoS Potential'],
'post_incident_analysis': {'corrective_actions': ['Patch HTTP/2 '
'implementations to enforce '
'reset limits.',
'Re-architect stream '
'lifecycle management to '
'align protocol and backend '
'states.',
'Enhance testing for '
'protocol-level edge '
'cases.'],
'root_causes': ['Protocol specification vs. '
'implementation mismatch in HTTP/2 '
'stream reset handling.',
'Inadequate accounting for backend '
'request processing post-reset.',
'Over-reliance on '
'SETTINGS_MAX_CONCURRENT_STREAMS '
'without enforcement.']},
'recommendations': ['Apply vendor-provided patches immediately.',
'Implement stricter limits on RST_STREAM frames and reset '
'rates.',
'Review HTTP/2 implementations for similar accounting '
'flaws.',
'Deploy additional rate-limiting controls until patches '
'are applied.',
'Monitor for unusual patterns in HTTP/2 stream resets.'],
'references': [{'source': 'Tel Aviv University Research Team (Gal Bar Nahum, '
'Anat Bremler-Barr, Yaniv Harel)'},
{'source': 'CERT/CC Vulnerability Note'},
{'source': 'Vendor Advisories (Apache, Mozilla, Red Hat, '
'etc.)'}],
'regulatory_compliance': {'regulatory_notifications': ['CERT/CC Advisory']},
'response': {'communication_strategy': ['Public Advisories',
'Vendor Notifications'],
'containment_measures': ['Rate-Limiting RST_STREAM Frames',
'Reviewing HTTP/2 Implementations'],
'enhanced_monitoring': ['Monitoring for Excessive Stream Resets'],
'remediation_measures': ['Vendor Patches',
'Protocol-Level Fixes'],
'third_party_assistance': ['CERT/CC Recommendations']},
'stakeholder_advisories': ['Vendor-Specific Patches', 'CERT/CC Guidelines'],
'title': "Critical HTTP/2 Vulnerability 'MadeYouReset' (CVE-2025-8671) "
'Enables Potent DoS/DDoS Attacks',
'type': ['Denial-of-Service (DoS)',
'Distributed Denial-of-Service (DDoS)',
'Protocol-Level Vulnerability'],
'vulnerability_exploited': {'cve_id': ['CVE-2025-8671',
'CVE-2025-48989 (Apache Tomcat)'],
'description': 'Exploits HTTP/2 stream reset '
'accounting flaws to bypass '
'concurrent stream limits, '
'enabling resource exhaustion via '
'unbounded request processing.',
'name': 'MadeYouReset',
'severity': 'Critical'}}