Name of the Vulnerable Software and Affected Versions: HTTP/2 implementations (affected versions not specified) AMPHP Apache Tomcat Eclipse Foundation F5 Fastly gRPC Mozilla Netty Suse Linux Varnish Software Wind River Zephyr Project Description: A discrepancy between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations, specifically related to client-triggered server-sent stream resets, can lead to excessive server resource consumption and a denial-of-service (DoS) condition. An attacker can exploit incorrect stream accounting by opening streams and rapidly triggering the server to reset them using malformed frames or flow control errors. Streams reset by the server are considered closed at the protocol level, while backend processing continues, allowing a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This attack, named 'MadeYouReset', is similar to the Rapid Reset attack and can bypass many existing protection mechanisms. The attack involves manipulating HTTP/2 control frames to induce the vulnerability. Approximately 99.6K+ services are found to be potentially affected yearly. Recommendations: At the moment, there is no information about a newer version that contains a fix for this…Read More
PT-2025-32984 · Http/2 +1 · Http/2 +1
