One more was published today: - Jetty - CVE-2025-5115
https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h ---------- Jetty's Team Notes > Impact > A denial of service vulnerability similar to Rapid Reset, but where the > client triggers a reset from the server by sending a malformed or invalid > frame. > In particular, this may be triggered by WINDOW_UPDATE frames that are > invalid (e.g. with delta==0 or when the delta makes the window exceed > 2^31-1). > > Patches > Patch has been merged into 12.0.x mainline via #13449. > > Workarounds > No workarounds apart disabling HTTP/2. On Sat, Aug 16, 2025 at 11:30 AM Alan Coopersmith < [email protected]> wrote: > On 8/13/25 11:27, Alan Coopersmith wrote: > > https://kb.cert.org/vuls/id/767506 was published today: > > > >> HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack > >> through HTTP/2 control frames > >> Vulnerability Note VU#767506 > >> Original Release Date: 2025-08-13 | Last Revised: 2025-08-13 > >> > >> Overview > >> -------- > >> A vulnerability has been discovered within many HTTP/2 implementations > >> allowing for denial of service (DoS) attacks through HTTP/2 control > frames. > >> This vulnerability is colloquially known as "MadeYouReset" and is > tracked > >> as CVE-2025-8671. Some vendors have assigned a specific CVE to their > >> products to describe the vulnerability, such as CVE-2025-48989, which is > >> used to identify Apache Tomcat products affected by the vulnerability. > > OSS implementations that have responded (whether affected or not) include: > > - Apache Tomcat - CVE-2025-48989 > https://www.openwall.com/lists/oss-security/2025/08/13/2 > > - h2o - CVE-2025-8671 > https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq > > - hyper.rs h2 - CVE-2025-8671 > https://seanmonstar.com/blog/hyper-http2-didnt-madeyoureset/ > > - ISC BIND - CVE-2025-8671 > https://gitlab.isc.org/isc-projects/bind9/-/issues/5325 > > - lighttpd - CVE-2025-8671 > https://www.lighttpd.net/2025/8/13/1.4.80/ > > - Netty - CVE-2025-55163 > https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4 > > - Varnish - CVE-2025-8671 > https://varnish-cache.org/security/VSV00017.html > > -- > -Alan Coopersmith- [email protected] > Oracle Solaris Engineering - https://blogs.oracle.com/solaris > >
