The internet infrastructure is facing a new threat causing significant concern among tech companies, government agencies, and cloud service providers worldwide. This is “MadeYouReset” (CVE-2025-25063), a critical vulnerability in the HTTP/2 protocol uncovered by researchers from Google and Cloudflare that is already being exploited in large-scale Distributed Denial of Service (DDoS) attacks.
The discovery of MadeYouReset recalls that even the most widely used and seemingly robust protocols can become a weak point when innovation isn’t paired with solid security measures.
What is MadeYouReset and why is it concerning?
HTTP/2, adopted extensively over the past decade, was designed to enhance efficiency in modern web browsing: multiplexing requests, speeding up page loads, and optimizing bandwidth use. But this same sophistication has become an entry point for a new kind of attack.
MadeYouReset exploits the “stream resets” function, a mechanism that allows terminating ongoing requests. Attackers have figured out how to send malformed frames en masse, forcing the server to continually restart connection processes.
The impact is devastating: disproportionate CPU and memory usage that can cause a service to crash within seconds. Even more alarming, attackers can amplify their impact thousands of times, even with limited bandwidth, creating an unprecedented cost-effectiveness in attack execution.
Comparing with Rapid Reset: old ghosts return
This case resembles the Rapid Reset (CVE-2023-44487) vulnerability found two years earlier. Both focus on the same weakness: abusing the reset mechanism in HTTP/2 streams.
- Rapid Reset (2023): clients continually sent reset requests directly.
- MadeYouReset (2025): attackers trick the server with frames specifically designed to make it initiate resets.
While mitigations after Rapid Reset have partially contained this new flaw, many implementations remain vulnerable, especially in unpatched systems or outdated libraries.
Impact on businesses, cloud platforms, and governments
MadeYouReset’s effects aren’t limited to web pages. HTTP/2 is used in:
- Cloud services (AWS, Google Cloud, Microsoft Azure).
- Enterprise applications integrating HTTP/2 APIs.
- Critical platforms for e-commerce, online banking, and government services.
The CISA (Cybersecurity and Infrastructure Security Agency) quickly listed MadeYouReset among actively exploited vulnerabilities. The message was clear: patching must be urgent and non-negotiable.
The risk is that critical infrastructures—from healthcare systems to telecom operators—could become prime targets for coordinated cyberattacks.
Examples of attacks and the scale of the problem
While actual impact figures are still being assessed, experts warn of alarming scenarios:
- An attacker with just 10 Mbps bandwidth could cause congestion equivalent to hundreds of gigabits per second.
- Controlled tests by Google demonstrated amplification can exceed the attacker’s initial capacity by thousands of times.
- Since HTTP/2 is pervasive, attack points are countless: from mid-sized web servers to major hyperscale platforms handling a significant portion of global traffic.
Mitigation measures: what can be done?
Experts recommend acting on multiple fronts simultaneously:
1. Immediate updates and patches
Apply fixes released by software vendors for vulnerable HTTP/2 libraries. Cloudflare reported their Pingora framework in versions prior to h2 0.4.11 was susceptible, urging urgent updates.
2. Traffic controls and connection limits
Set limits on resets per connection and configure systems to detect abuse patterns.
3. Advanced DDoS mitigation
Implement early detection and filtering solutions. Cloudflare and Google noted their clients are already protected through measures developed in response to Rapid Reset.
4. Backup plan: disable HTTP/2 in critical environments
In sectors where uptime is vital, some recommend temporarily disabling HTTP/2 until systems are confirmed protected.
A lesson for the internet: speed vs security
The story of MadeYouReset highlights a classic dilemma: should innovation sacrifice security for performance?
HTTP/2 was created to improve user experience, but its complexities open new avenues for attackers. The resilience of the internet depends equally on innovation and the capacity to respond to critical vulnerabilities.
Researchers from Tel Aviv University, involved in the discovery, warned that design flaws in fundamental protocols are inevitable. The key lies in swift patching and shared responsibility among developers, providers, and end-users.
Short-term outlook
- More sophisticated attacks: cybercriminals may combine MadeYouReset with other amplification techniques.
- Increased regulatory pressure: agencies like the EU and US could demand stricter response times for critical patches.
- Shift toward HTTP/3: though based on QUIC and not immune, HTTP/3’s architecture could reduce attack surfaces relative to these techniques.
In sum, MadeYouReset will be remembered as another chapter in the evolution of internet security but also as a stark reminder: the foundations of the global network can never be considered fully secure.
FAQs
What’s the difference between MadeYouReset and Rapid Reset?
Both exploit the HTTP/2 reset mechanism, but MadeYouReset deceives the server with malformed frames to trigger resets, whereas Rapid Reset involved clients directly sending reset requests.
Which systems are most vulnerable?
Systems running unpatched implementations of HTTP/2 — this includes enterprise servers, open-source libraries, and some cloud services that haven’t been updated.
What’s the potential economic impact?
DDoS attacks can cause millions in losses through downtime, disruption of critical operations, and mitigation costs. Large-scale incidents could amount to hundreds of millions of euros.
Can this attack be entirely prevented?
No, but applying patches, limiting resets, deploying advanced mitigation, and monitoring traffic in real-time significantly lower the risk of exploitation.
Source: MadeYouReset on OpenSecurity