MadeYouReset: A New HTTP/2 Flaw That Could Lead to DoS Attacks

A newly disclosed vulnerability in the HTTP/2 protocol, dubbed MadeYouReset (CVE-2025-8671), was revealed on August 13, 2025. The flaw allows an attacker to send specially crafted protocol frames that force the server to repeatedly reset streams within a single connection. This cycle of resets can result in excessive resource consumption and, in severe cases, lead to a denial-of-service (DoS) condition. In essence, the technique mirrors the earlier Rapid Reset attack (CVE-2023-44487), which likewise exploited mass stream resets to deplete system resources.

Microsoft has confirmed that its Azure Front Door service is already safeguarded against MadeYouReset. Back in 2023, while defending against Rapid Reset, engineers developed advanced filtering mechanisms that go beyond partial mitigations. Instead of restricting only client-initiated resets, they implemented a stricter protective model that evaluates all stream cancellations—regardless of origin—thereby neutralizing different exploit variations leveraging the reset mechanism.

For Azure customers, this means no additional action is required. The defensive measures operate automatically, ensuring that services remain stable even under attempts to exploit this new class of HTTP/2 attacks. Microsoft emphasizes that these protections not only preserve infrastructure resilience but also uphold a high standard of security in the face of evolving protocol-level threats.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy