Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-8671
CVE-2025-8671:
lighttpd vulnerability analysis and mitigation
Overview
The MadeYouReset vulnerability (CVE-2025-8671) is a denial of service (DoS) vulnerability discovered in HTTP/2 implementations, publicly disclosed on August 13, 2025. The vulnerability exploits a mismatch between HTTP/2 specifications and internal architectures of some HTTP/2 implementations, allowing attackers to cause excessive server resource consumption. This vulnerability is similar to the HTTP/2 Rapid Reset vulnerability (CVE-2023-44487) disclosed in 2023, but with a different attack vector (CERT VU, Gal Blog).
Technical details
The vulnerability stems from how HTTP/2 implementations handle stream resets. When streams are reset by the server due to malformed frames or flow control errors, they are considered closed at the protocol level, but backend processing continues. An attacker can exploit this discrepancy by opening streams and rapidly triggering the server to reset them, causing the server to handle an unbounded number of concurrent streams on a single connection. The HTTP/2 protocol's SETTINGSMAXCONCURRENT_STREAMS parameter, which should limit concurrent streams, becomes ineffective as reset streams are no longer counted against this limit (CERT VU, H2O Advisory).
Impact
The primary impact is the potential for denial of service attacks. Attackers can force targets offline or severely limit connection capabilities by making servers process an extremely high number of concurrent requests. Affected systems may experience either high CPU overload or memory exhaustion, depending on their HTTP/2 implementation (CERT VU, SUSE KB).
Mitigation and workarounds
Various vendors have released patches to address the vulnerability. For systems that cannot be immediately patched, the primary mitigation is to disable HTTP/2 support. Some vendors recommend removing h2 from the ALPN protocol list if using a TLS terminator. Additionally, implementing rate limits on RST_STREAMs sent from the server and monitoring stream reset patterns can help mitigate the attack (Varnish Advisory, Fastly Status).
Community reactions
Multiple major vendors and organizations have responded to the vulnerability. Mozilla confirmed their websites and services were affected but noted their client software like Firefox was not impacted. Fastly implemented fixes in their infrastructure by June 2025, ahead of public disclosure. The IETF HTTP Working Group clarified that this is not a protocol vulnerability but an implementation issue, emphasizing that HTTP/2 implementations need to properly handle denial of service scenarios (CERT VU).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management