PT-2025-32984 · Http/2 +1 · Http/2 +1
Anat Bremler-Barr
+2
·
Published
2025-08-13
·
Updated
2025-09-09
·
CVE-2025-8671
7.8
High
| Base vector | Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
**Name of the Vulnerable Software and Affected Versions:**
Apache Tomcat versions ≤11.0.9, ≤10.1.43, ≤9.0.107
Netty (affected versions not specified)
F5 BIG-IP (affected versions not specified)
H2O (affected versions not specified)
AMPHP (affected versions not specified)
Eclipse Foundation (affected versions not specified)
gRPC (affected versions not specified)
Mozilla (affected versions not specified)
Suse Linux (affected versions not specified)
Varnish Software (affected versions not specified)
Wind River (affected versions not specified)
Zephyr Project (affected versions not specified)
**Description:**
A mismatch between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations, specifically related to client-triggered server-sent stream resets, can lead to excessive server resource consumption and denial-of-service (DoS). An attacker can exploit this by opening streams and rapidly triggering resets using malformed frames or flow control errors. The server may continue processing requests even after a stream is reset, leading to an unbounded number of concurrent streams and resource exhaustion. This attack, known as 'MadeYouReset', is similar in effectiveness to the Rapid Reset attack but appears to not have been used in real-world attacks as of yet. Approximately 99.6K+ services are found to be potentially affected yearly. The vulnerability bypasses existing mitigations.
**Recommendations:**
Apache Tomcat versions ≤11.0.9, ≤10.1.43, and ≤9.0.107: Apply the latest security patches released by the Apache Tomcat project.
Netty: Apply the latest security patches released by the Netty project.
F5 BIG-IP: Apply the latest security patches released by F5.
H2O: Apply the latest security patches released by H2O.
AMPHP: Apply the latest security patches released by AMPHP.
Eclipse Foundation: Apply the latest security patches released by the Eclipse Foundation.
gRPC: Apply the latest security patches released by gRPC.
Mozilla: Apply the latest security patches released by Mozilla.
Suse Linux: Apply the latest security patches released by Suse Linux.
Varnish Software: Apply the latest security patches released by Varnish Software.
Wind River: Apply the latest security patches released by Wind River.
Zephyr Project: Apply the latest security patches released by Zephyr Project.
Implement rate-limiting and anomaly detection mechanisms to mitigate the risk of exploitation.
Exploit
Fix
DoS
Improper Resource Release
Weakness Enumeration
Related Identifiers
Affected Products
References · 59
- 🔥 https://gitlab.isc.org/isc-projects/bind9/-/issues/5325 · Exploit
- https://osv.dev/vulnerability/CVE-2025-8671 · Vendor Advisory
- https://osv.dev/vulnerability/UBUNTU-CVE-2025-8671 · Vendor Advisory
- https://cve.org/CVERecord?id=CVE-2025-8671 · Security Note
- https://ubuntu.com/security/CVE-2025-8671 · Vendor Advisory
- https://security-tracker.debian.org/tracker/CVE-2025-8671 · Vendor Advisory
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8671 · Security Note
- https://bdu.fstec.ru/vul/2025-09848 · Security Note
- https://nvd.nist.gov/vuln/detail/CVE-2025-8671 · Security Note
- https://security-tracker.debian.org/tracker/source-package/varnish · Vendor Advisory
- https://security-tracker.debian.org/tracker/source-package/h2o · Vendor Advisory
- https://github.com/Kong/kong/discussions/14731⭐ 41547 🔗 4964 · Note
- https://github.com/envoyproxy/envoy/issues/40739⭐ 26421 🔗 5047 · Note
- https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq⭐ 11189 🔗 863 · Note
- https://github.com/h2o/h2o/commit/4729b661e3c6654198d2cc62997e1af58bef4b80⭐ 11189 🔗 863 · Note