CVE-2025-8671

Name of the Vulnerable Software and Affected Versions AMPHP (affected versions not specified) Apache Tomcat (affected versions not specified) Eclipse Foundation (affected versions not specified) F5 (affected versions not specified) Fastly (affected versions not specified) gRPC (affected versions not specified) Mozilla (affected versions not specified) Netty (affected versions not specified) Suse Linux (affected versions not specified) Varnish Cache (affected versions not specified) Wind River (affected versions not specified) Zephyr Project (affected versions not specified)

Description A mismatch between HTTP/2 specifications and the internal architectures of some implementations leads to incorrect stream accounting. By opening streams and rapidly triggering the server to reset them using malformed frames or flow control errors, a remote attacker can cause excessive server resource consumption. This occurs because streams reset by the server are considered closed at the protocol level, while backend processing continues, allowing a client to force the server to handle an unbounded number of concurrent streams on a single connection. This issue, dubbed MadeYouReset, can be used to launch massive denial-of-service (DoS) attacks and bypasses existing Rapid Reset mitigations by tricking the server into resetting its own stream counters. The attack traffic often blends with legitimate traffic, making detection difficult.

Recommendations Update Apache Tomcat to the latest patched version. Update F5 to the latest patched version. Update Fastly to the latest patched version. Update Varnish Cache to the latest patched version. Implement rate-limiting and anomaly detection to identify and block malicious HTTP/2 traffic patterns. At the moment, there is no information about a newer version that contains a fix for AMPHP, Eclipse Foundation, gRPC, Mozilla, Netty, Suse Linux, Wind River, and Zephyr Project.