Home > Vulnerability Database > CVE-2025-8671

Mend.io Vulnerability Database

CVE-2025-8671

Good to know:

Date: August 13, 2025

A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.

Severity Score

7.5

Related Resources (24)

Url: https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq

Url: https://varnish-cache.org/security/VSV00017.html

Url: https://rustsec.org/advisories/RUSTSEC-2025-0070.html

Url: https://github.com/cloudflare/pingora/security/advisories/GHSA-393w-9x6h-8gc7

Url: https://blog.cloudflare.com/madeyoureset-an-http-2-vulnerability-thwarted-by-rapid-reset-mitigations/

Url: https://www.fastlystatus.com/incident/377810

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-8671

Url: https://github.com/Kong/kong/discussions/14731

Url: https://galbarnahum.com/made-you-reset

Url: https://github.com/varnish/hitch/issues/397

Url: https://deepness-lab.org/publications/madeyoureset/

Url: https://gitlab.isc.org/isc-projects/bind9/-/issues/5325

Url: https://security.alpinelinux.org/vuln/CVE-2025-8671

Url: https://crates.io/crates/pingora-core

Url: https://security-tracker.debian.org/tracker/CVE-2025-8671

Url: https://github.com/h2o/h2o/commit/4729b661e3c6654198d2cc62997e1af58bef4b80

Url: https://github.com/galbarnahum/MadeYouReset

Url: https://www.suse.com/support/kb/doc/?id=000021980

Url: https://github.com/envoyproxy/envoy/issues/40739

Url: https://github.com/jetty/jetty.project/pull/13449

Url: https://support2.windriver.com/index.php?page=security-notices

Url: https://kb.cert.org/vuls/id/767506

Url: https://www.imperva.com/blog/madeyoureset-turning-http-2-server-against-itself/

Url: https://www.mend.io/vulnerability-database/CVE-2025-8671

Severity Score

7.5

Weakness Type (CWE)

Improper Resource Shutdown or Release

CWE-404

Top Fix

Upgrade Version

Upgrade to version https://github.com/h2o/h2o.git - null

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-8671

Good to know:

Date: August 13, 2025

Severity Score

Related Resources (24)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?