MadeYouReset: An HTTP/2 vulnerability thwarted by Rapid Reset mitigations

Cloudflare details the MadeYouReset (CVE-2025-8671) HTTP/2 denial-of-service vulnerability disclosed by Tel Aviv University researchers, explaining that abusing server-sent RST_STREAMs can exhaust server resources. The blog notes the issue impacts a limited set of unpatched HTTP/2 implementations, highlights prior related Rapid Reset mitigations, confirms Cloudflare is not vulnerable, and advises updating affected h2 library versions and implementing RFC 9113 mitigations.