On 8/13/25 11:27, Alan Coopersmith wrote:
https://kb.cert.org/vuls/id/767506 was published today:
HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack
through HTTP/2 control frames
Vulnerability Note VU#767506
Original Release Date: 2025-08-13 | Last Revised: 2025-08-13
Overview
--------
A vulnerability has been discovered within many HTTP/2 implementations
allowing for denial of service (DoS) attacks through HTTP/2 control frames.
This vulnerability is colloquially known as "MadeYouReset" and is tracked
as CVE-2025-8671. Some vendors have assigned a specific CVE to their
products to describe the vulnerability, such as CVE-2025-48989, which is
used to identify Apache Tomcat products affected by the vulnerability.
OSS implementations that have responded (whether affected or not) include:
- Apache Tomcat - CVE-2025-48989
https://www.openwall.com/lists/oss-security/2025/08/13/2
- h2o - CVE-2025-8671
https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq
- hyper.rs h2 - CVE-2025-8671
https://seanmonstar.com/blog/hyper-http2-didnt-madeyoureset/
- ISC BIND - CVE-2025-8671
https://gitlab.isc.org/isc-projects/bind9/-/issues/5325
- lighttpd - CVE-2025-8671
https://www.lighttpd.net/2025/8/13/1.4.80/
- Netty - CVE-2025-55163
https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
- Varnish - CVE-2025-8671
https://varnish-cache.org/security/VSV00017.html
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
