A severe flaw in the HTTP/2 protocol threatens web server downtime. This flaw opens the door to powerful DDoS attacks.
Researchers at Tel Aviv University named the bug “MadeYouReset.” It abuses the existing "Rapid Reset" vulnerability. It ranks 7.5 out of 10 in severity.
How the flaw works
- Attackers open many streams over a single connection.
- They then trigger stream resets using malformed frames or flow-control errors.
- The server treats those streams as closed.
- But backend processes continue to run.
- Attackers bypass the usual MAX_CONCURRENT_STREAMS limit.
Who is affected
- HTTP/2 servers using Netty, Jetty, Apache Tomcat are vulnerable.
- Most servers remain unpatched.
Current status
- Researchers disclosed the flaw to vendors.
- Fixes are rolling out across affected platforms.
Recommended actions
- Identify if your server uses HTTP/2 (especially with Netty, Jetty, or Tomcat).
- Apply available patches immediately.
- Monitor vendor advisories and updates closely.
- Consider temporarily disabling HTTP/2 until patched.
- Test for abnormal reset behavior or unexpected resource use.
This flaw exposes a new, stealthy method for DDoS. Servers may crash while reporting streams as closed.
You have an opportunity to act quickly. Update your systems. Stay alert.
