‘MadeYouReset’ HTTP2 Vulnerability Enables Massive DDoS Attacks - SecurityWeek

Researchers from Imperva and Tel Aviv University have uncovered “MadeYouReset,” a new HTTP/2-based DDoS attack vector exploiting a design flaw tracked as CVE-2025-8671. Similar to 2023’s record-breaking Rapid Reset, the flaw allows attackers to overwhelm servers by repeatedly resetting streams, triggering unbounded backend processing. Impacting vendors such as Apache Tomcat, F5, Fastly, Mozilla, and Suse Linux, the vulnerability can blend with normal traffic and bypass many defences. While no exploitation in the wild has been reported, patches and mitigations are being issued, with some projects still assessing impact.