Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

HTTP/2 MadeYouReset flaw (CVE-2025-8671)

Vulnerability
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

MadeYouReset is a new HTTP/2 vulnerability that lets attackers bypass the usual 100 concurrent-request limit and drive large-scale denial-of-service against affected servers. The flaw is tracked as CVE-2025-8671 and has been tied to affected implementations including Apache Tomcat, F5 BIG-IP, and Netty. In some vendor implementations, the attack can escalate into out-of-memory crashes.

Related Happenings

MongoDB CVE-2025-14847 active exploitation worldwide

Exploitation Wave
First: 29.12.2025 09:49 Last: 29.12.2025 09:49 Sources 1

About this happening: **CVE-2025-14847** is being **actively exploited** against **MongoDB** deployments, putting a global pool of **87,000+** potentially susceptible instances at risk. The wave matter...

Open Happening

Timeline

  1. 14.08.2025 18:20 1 articles · 9mo ago

    MadeYouReset HTTP/2 vulnerability disclosed

    Initial Disclosure

    Researchers disclosed MadeYouReset, a new HTTP/2 attack technique tracked as CVE-2025-8671, that bypasses the usual 100 concurrent requests per TCP connection and can force large-scale denial-of-service, including out-of-memory crashes in some vendor implementations. The issue affects Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), and Netty (CVE-2025-55163); CERT/CC described a mismatch between HTTP/2 stream resets and real-world web server architectures as the resource-exhaustion mechanism, and the technique builds on Rapid Reset mitigations by provoking server-issued RST_STREAM responses without sending RST_STREAM from the client. Akamai and Cloudflare addressed related issues after the disclosure.

    Show sources
    Open in new tab