Описание
A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| h2o | removed | package | ||
| h2o | no-dsa | bookworm | package | |
| h2o | postponed | bullseye | package | |
| haproxy | not-affected | package | ||
| varnish | fixed | 7.7.2-1 | package | |
| varnish | no-dsa | trixie | package | |
| varnish | ignored | bookworm | package | |
| varnish | ignored | bullseye | package |
Примечания
https://kb.cert.org/vuls/id/767506
https://galbarnahum.com/made-you-reset
h2o: https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq
h2o: https://github.com/h2o/h2o/commit/579ecfaca155d1f9f12bfd0cff6086dcda4b9692
lighttpd: https://www.lighttpd.net/2025/8/13/1.4.80/
lighttpd: https://github.com/lighttpd/lighttpd1.4/commit/8442ca4c699566cdd7369e09690926f403b54fc9 (lighttpd-1.4.80)
varnish: https://varnish-cache.org/security/VSV00017.html
varnish: https://github.com/varnishcache/varnish-cache/commit/1aa6e49201acc64ec40b55a5482d1b26e939ff1c (varnish-7.7.2)
varnish: https://github.com/varnishcache/varnish-cache/commit/f960bccb5c3558ad9c49d7d01ac689c1c614f741 (varnish-7.7.2)
varnish: https://github.com/varnishcache/varnish-cache/commit/7710a5da9958d1b63720e4f6565dd1d87619d4c6 (varnish-7.7.2)
varnish: Regression: https://github.com/varnishcache/varnish-cache/issues/4380
varnish: Regression fix: https://github.com/varnishcache/varnish-cache/commit/cfee49ee9054a238bda686666ac6e471fbbfca10 (varnish-7.7.3)
Unaffected implementations not requiring code changes:
- lighttpd: Cf. https://bugs.debian.org/1111140#10 . Adds detection f HTTP/2 MadeYouReset so that log
watchers can be configured to block offending IPs.
EPSS
Связанные уязвимости
A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.
A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.
A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.
Уязвимость реализации протокола HTTP/2, связанная с некорректным освобождением ресурса, позволяющая нарушителю вызвать отказ в обслуживании
EPSS