Security vulnerability: CVE-2025-8671: HTTP/2 'MadeYouReset' DoS attack

For a comprehensive list of affected products, please review the SUSE CVE announcements:

https://www.suse.com/security/cve/CVE-2025-8671.html
https://www.suse.com/security/cve/CVE-2025-48989.html
https://www.suse.com/security/cve/CVE-2025-55163.html
https://www.suse.com/security/cve/CVE-2025-5115.html

Researchers from the Tel Aviv University have recently discovered a vulnerability in several HTTP/2 implementations, which can be exploited to cause denial of service in applications that depend on these implementations. The vulnerability, which was assigned CVE-2025-8671, is now known as 'MadeYouReset'. 

Several upstream projects have updated their code to implement a fix for the issue, and have also provided patches that allow the vulnerability to be addressed in versions of their software shipped with SUSE products.

The following packages are affected:
- netty
- jetty
- tomcat

Please monitor the SUSE CVE announcements for the availability of the updated packages.

The 'MadeYouReset' vulnerability is caused by a flaw in HTTP/2 implementations, when they treat a stream reset operation as a stream close operation, and the server still continues to process the stream. By sending several and continuous reset requests to a target server, an attacker can overload it, since requests will be processed, even though the reset streams are considered to be closed in the protocol level.

This is not a flaw in the HTTP/2 protocol, but rather a flaw in implementations of this protocol. In HTTP/2, both client and server are allowed to close streams at any time. Certain implementations, however, continue to process requests and generate responses, even when such responses will not be sent back to the client, due to the stream being considered closed. A mismatch, therefore, happens, where the amount of actual HTTP requests being processed by the backend server is not the same as the amount of streams that are considered active from the protocol perspective. Therefore, by opening streams and then rapidly causing a server to reset them through the use of malformed frames or flow control errors, an attacker can exploit the previously mentioned mismatch. The server will try to handle an unbounded number of concurrent HTTP/2 requests on a single connection, leading to resource exhaustion.

When targeted, a server will either exhaust its memory or its processing capabilities, which can lead to a crash (and the service then becomes completely offline), or to the limitation on the number of client connections that can be handled at a given time (and the service then becomes intermittent and/or takes long to respond to client requests).  

The 'MadeYouReset' vulnerability is similar to, but not the same as the 'RapidReset' vulnerability (CVE-2023-44487,
https://www.suse.com/support/kb/doc/?id=000021240). Information on 'MadeYouReset' have been publicly disclosed on August 13, 2025, and prior to this date, there was no record of any 'MadeYouReset' attacks happening in the wild.

References:

https://www.cve.org/CVERecord?id=CVE-2025-8671
https://www.cve.org/CVERecord?id=CVE-2025-48989
https://kb.cert.org/vuls/id/767506
https://www.suse.com/security/cve/CVE-2025-8671.html
https://www.suse.com/security/cve/CVE-2025-48989.html
https://www.suse.com/security/cve/CVE-2025-55163.html
https://www.suse.com/security/cve/CVE-2025-5115.html