During recent research into HTTP/2, I found a DoS vulnerability I call MadeYouReset (CVE‑2025‑8671), publicly disclosed on 13 Aug 2025. It lets an attacker create effectively unbounded concurrent work on servers by bypassing HTTP/2’s built-in concurrency limit - causing a denial of service condition. It builds on the flaw behind 2023’s “Rapid Reset”, with a neat twist that slips past the common mitigation. In this post, we’ll cover how MadeYouReset works at a high level.

In the last blog post we talked about the shortcomings of HTTP/1.1 and the magical promises of HTTP/2. But how does that actually work under the hood? By the end of the first part of the “HTTP/2 - How?” posts, you’ll understand exactly how HTTP/2 implements the binary frames that are the basic units of the protocol, how stream multiplexing works, what are the different types of frames HTTP/2 uses, what are their purpose and we will wrap everything up with understanding the protocol flow of HTTP/2.

In this post, we will see why we needed HTTP/2, and more precisely, where HTTP/1.1 falls short. Then we will look at how HTTP/2 solves those problems at a high level.