During recent research into HTTP/2, I found a DoS vulnerability I named MadeYouReset (CVE-2025-8671). It lets an attacker create effectively unbounded concurrent work on servers while bypassing HTTP/2’s built‑in concurrency limit. It builds on the flaw behind 2023’s “Rapid Reset”, with a neat twist that slips past the usual mitigation. In this post, we’ll cover the concept at a high level, how and why it works, and begin to explain why so many implementations were affected by zooming in on a common proxy deployment.

Welcome to the deep dive into MadeYouReset. If you haven’t read the intro yet, start there for the high‑level picture. In this post, we’ll cover how MadeYouReset works - by getting familiar with the six MadeYouReset primitives - and the two behaviors that make it work:

1. How HTTP/2 counts active streams (by inspecting its state machine)
2. Why backend work often continues after a stream reset - which helps explain why so many vendors were affected