What is the 'Made You Reset' attack?

The 'Made You Reset' attack is part of a broader HTTP/2 protocol vulnerability (tracked as CVE-2025-8671) that affects multiple implementations across web infrastructure. It's an evolution of the 'Rapid Reset' attacks from 2023, but instead of abusing client-sent stream resets, this new technique tricks the server into canceling requests automatically.

How does the 'Made You Reset' attack work technically?

By opening streams and then rapidly triggering the server to reset them using malformed frames or flow control errors, attackers can exploit incorrect stream accounting. This allows clients to cause servers to handle an increasing number of concurrent streams on a single connection, causing an overload and crash.

How is 'Made You Reset' different from the previous 'Rapid Reset' attacks?

While the previous 'Rapid Reset' attacks (CVE-2023-44487) from 2023 abused client-sent stream resets, the new 'Made You Reset' technique tricks the server into canceling requests automatically, making it a more sophisticated evolution of the attack method.

How can organizations fix CVE-2025-48989 in Apache Tomcat?

Organizations should upgrade to the following fixed versions: Apache Tomcat 11.0.10 or later (fixes versions 11.0.0-M1 through 11.0.9), Apache Tomcat 10.1.44 or later (fixes versions 10.1.0-M1 through 10.1.43), or Apache Tomcat 9.0.108 or later (fixes versions 9.0.0.M1 through 9.0.107).

Are there any workarounds for CVE-2025-48989?

No, there are no effective workarounds available for CVE-2025-48989. Organizations must upgrade to the patched versions to address this vulnerability.

Are older end-of-life Tomcat versions affected?

Older end-of-life versions may also be vulnerable but are not confirmed. Organizations using unsupported versions should consider migrating to supported versions that have received security patches.

What is the severity level of CVE-2025-48989?

CVE-2025-48989 has a CVSS score of 7.5, indicating it is a high severity vulnerability that could enable devastating denial-of-service attacks against web servers running vulnerable Apache Tomcat versions.

What is the relationship between CVE-2025-48989 and CVE-2025-8671?

CVE-2025-48989 is the specific Apache Tomcat implementation of the broader 'Made You Reset' vulnerability, while CVE-2025-8671 tracks the broader HTTP/2 protocol vulnerability that affects multiple implementations across different vendors and projects.

When were the Apache Tomcat patches released?

The Apache Software Foundation has released patches to address this vulnerability across all affected Tomcat versions, with fixed versions including Apache Tomcat 11.0.10, 10.1.44, and 9.0.108 or later for their respective branches.

Advisory

Apache Tomcat "Made You Reset" vulnerability exposes risk of Denial-of-Service attacks

Q: What is CVE-2025-48989 and which systems does it affect?

CVE-2025-48989 is a vulnerability in Apache Tomcat's HTTP/2 implementation with a CVSS score of 7.5 that could enable attackers to launch devastating denial-of-service attacks against web servers. It affects Apache Tomcat 11.0.0-M1 through 11.0.9, Apache Tomcat 10.1.0-M1 through 10.1.43, and Apache Tomcat 9.0.0.M1 through 9.0.107.

Q: Which other vendors and products are affected by the broader 'Made You Reset' vulnerability?

The broader 'Made You Reset' vulnerability (CVE-2025-8671) affects numerous HTTP/2 implementations including AMPHP, Apache Tomcat, Eclipse Foundation projects, F5 Networks, Fastly, gRPC, Mozilla services, Netty, SUSE Linux, Varnish Software, Wind River, and Zephyr Project.

Q: Is CVE-2025-48989 being actively exploited?

No evidence of active exploitation has been reported. However, the public disclosure of technical details and proof-of-concept code increases the probability of attacks in the future.

Q: Have other vendors released patches for the 'Made You Reset' vulnerability?

Yes, the coordinated disclosure has resulted in patches from multiple vendors. Fastly implemented fixes in release 25.17 deployed across their infrastructure on June 2, 2025, and Varnish Software released patches for Cache 7.6.4, 7.7.2, and Enterprise 6.0.14r5.

Q: What makes this vulnerability particularly concerning for web infrastructure?

The vulnerability's broad impact across HTTP/2 implementations highlights ongoing challenges in protocol security, as performance optimizations can inadvertently create new attack vectors. Since HTTP/2 is widely used across web infrastructure, this vulnerability could potentially affect a significant portion of web servers worldwide.

published: Aug. 15, 2025

Take action: If you're running Apache Tomcat, review this vulnerability. It's not an urgent patch, but if you are running a vulnerable version, either plan a patch cycle or be aware that the DoS attack can happen and your systems will succumb to it. Discuss internally, whether this is a high risk for you.

Learn More

he Apache Software Foundation is reporting a vulnerability in Apache Tomcat's HTTP/2 implementation that could enable attackers to launch devastating denial-of-service attacks against web servers worldwide.

This flaw is tracked as CVE-2025-48989 (CVSS score 7.5) is part of a broader HTTP/2 protocol vulnerability known as "Made You Reset" that affects multiple implementations across the web infrastructure.

The "Made You Reset" attack is an evolution of the "Rapid Reset" attacks (CVE-2023-44487) in 2023. Rapid Reset abused client-sent stream resets. The new technique tricks the server into canceling requests automatically. By opening streams and then rapidly triggering the server to reset them using malformed frames or flow control errors, attackers can exploit incorrect stream accounting, allowing clients to cause servers to handle an increasing number of concurrent streams on a single connection, causing an overload and crash.

The vulnerability affects Apache Tomcat 11.0.0-M1 through 11.0.9, Apache Tomcat 10.1.0-M1 through 10.1.43, and Apache Tomcat 9.0.0.M1 through 9.0.107. Older end-of-life versions may also be vulnerable but are not confirmed.

The broader "Made You Reset" vulnerability, tracked as CVE-2025-8671, affects numerous HTTP/2 implementations including AMPHP, Apache Tomcat, Eclipse Foundation projects, F5 Networks, Fastly, gRPC, Mozilla services, Netty, SUSE Linux, Varnish Software, Wind River, and Zephyr Project.

The Apache Software Foundation has released patches to address this vulnerability across all affected Tomcat versions. Organizations should upgrade to the following fixed versions:

Apache Tomcat 11.0.10 or later (fixes versions 11.0.0-M1 through 11.0.9)
Apache Tomcat 10.1.44 or later (fixes versions 10.1.0-M1 through 10.1.43)
Apache Tomcat 9.0.108 or later (fixes versions 9.0.0.M1 through 9.0.107)

There are no effective workarounds available for CVE-2025-48989.

The coordinated disclosure has resulted in patches from multiple vendors, with Fastly implementing fixes in release 25.17 deployed across their infrastructure on June 2, 2025, and Varnish Software releasing patches for Cache 7.6.4, 7.7.2, and Enterprise 6.0.14r5. However, the vulnerability's broad impact across HTTP/2 implementations highlights the ongoing challenges in protocol security as performance optimizations can inadvertently create new attack vectors.

No evidence of active exploitation has been reported, but the public disclosure of technical details and proof-of-concept code increases the probability of attacks.

Apache Tomcat "Made You Reset" vulnerability exposes risk of Denial-of-Service attacks

Read More
Progress fixes critical vulnerability in Flowmon network monitoring …
Critical vulnerability reported in FreeBSD bhyve hypervisor
SAP December 2025 patch day fixes critical code …
Microsoft reports on-premise SharePoint vulnerability under active attack
HashiCorp patches critical flaw in Vault allowing privileged …