HTTP2 Security Update Advisory

Overview

 

We have released a security update to address a vulnerability in HTTP2. Users of affected products are advised to update to the latest version.
 

 

Affected Products

 

CVE-2025-8671

 

HTTP/2 version: Check product-specific references [2][3][4][5][6]

 

CVE-2025-55163

 

Netty Version : 4.2.3 or earlier
Netty version : 4.1.123 or earlier

 

 

Resolved Vulnerabilities

 

Denial of Service Vulnerability due to a client-triggered reset of the server transport stream between the HTTP/2 specification and the internal architecture of some HTTP/2 implementations (CVE-2025-8671)
Denial of Service Vulnerability in HTTP/2 in Netty (CVE-2025-55163)

 

 

Vulnerability Patches

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2025-8671

 

HTTP/2 version: Check product specific references [2][3][4][5][6]

 

CVE-2025-55163

 

Netty Version : 4.2.4 or later
Netty version: 4.1.124 or later

 

 

References

 

[1] MadeYouReset
https://deepness-lab.org/publications/madeyoureset/
[2] [SECURITY] CVE-2025-48989 Apache Tomcat – DoS in HTP/2 – Made You Reset
https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf
[3] MadeYouReset HTTP/2 DDoS vulnerability
https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
[4] Security vulnerability: CVE-2025-8671: HTTP/2 ‘MadeYouReset’ DoS attack
https://www.suse.com/support/kb/doc/?id=000021980
[5] Fastly’s Response to the MadeYouReset HTTP/2 Security Vulnerability (CVE-2025-8671)
https://www.fastlystatus.com/incident/377810
[6] HTTP/2 MadeYouReset DDoS vulnerability
https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq