| Name | CVE-2025-8671 |
| Description | A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| h2o (PTS) | bullseye | 2.2.5+dfsg2-6 | vulnerable |
| bookworm | 2.2.5+dfsg2-7 | vulnerable | |
| haproxy (PTS) | bullseye | 2.2.9-2+deb11u6 | fixed |
| bullseye (security) | 2.2.9-2+deb11u7 | fixed | |
| bookworm | 2.6.12-1+deb12u2 | fixed | |
| bookworm (security) | 2.6.12-1+deb12u1 | fixed | |
| forky, sid, trixie | 3.0.11-1 | fixed | |
| varnish (PTS) | bullseye | 6.5.1-1+deb11u3 | vulnerable |
| bullseye (security) | 6.5.1-1+deb11u5 | vulnerable | |
| bookworm, bookworm (security) | 7.1.1-2+deb12u1 | vulnerable | |
| forky, trixie | 7.7.0-3 | vulnerable | |
| sid | 7.7.3-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| h2o | source | (unstable) | (unfixed) | |||
| haproxy | source | (unstable) | (not affected) | |||
| varnish | source | (unstable) | 7.7.2-1 |
[bookworm] - h2o <no-dsa> (Minor issue)
[bullseye] - h2o <postponed> (Minor issue)
- haproxy <not-affected> (Performs stream management correctly)
https://kb.cert.org/vuls/id/767506
https://galbarnahum.com/made-you-reset
h2o: https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq
h2o: https://github.com/h2o/h2o/commit/579ecfaca155d1f9f12bfd0cff6086dcda4b9692
lighttpd: https://www.lighttpd.net/2025/8/13/1.4.80/
lighttpd: https://github.com/lighttpd/lighttpd1.4/commit/8442ca4c699566cdd7369e09690926f403b54fc9 (lighttpd-1.4.80)
varnish: https://varnish-cache.org/security/VSV00017.html
varnish: https://github.com/varnishcache/varnish-cache/commit/1aa6e49201acc64ec40b55a5482d1b26e939ff1c (varnish-7.7.2)
varnish: https://github.com/varnishcache/varnish-cache/commit/f960bccb5c3558ad9c49d7d01ac689c1c614f741 (varnish-7.7.2)
varnish: https://github.com/varnishcache/varnish-cache/commit/7710a5da9958d1b63720e4f6565dd1d87619d4c6 (varnish-7.7.2)
Unaffected implementations not requiring code changes:
- lighttpd: Cf. https://bugs.debian.org/1111140#10 . Adds detection f HTTP/2 MadeYouReset so that log
watchers can be configured to block offending IPs.
check, some projects will assign own CVEs and should then be covered under that specific CVE instead