LiteSpeed Not Affected By MadeYouReset
Here is what you need to know about LiteSpeed and the HTTP/2 MadeYouReset vulnerability, specifically CVE-2025-8671:
- MadeYouReset uses malformed HTTP/2 control frames in order to break the maximum concurrent streams limit.
- LiteSpeed server products (including LiteSpeed Web Server Enterprise, LiteSpeed Web ADC, and OpenLiteSpeed) are NOT vulnerable to MadeYouReset attacks
What is MadeYouReset?
The MadeYouReset vulnerability was announced today as Vulnerability Note #767506 published by the CERT Coordination Center.
The note states:
By opening streams and then rapidly triggering the server to reset them using malformed frames or flow control errors, an attacker can exploit a discrepancy created between HTTP/2 streams accounting and the servers active HTTP requests. Streams reset by the server are considered closed, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent HTTP/2 requests on a single connection.
How are LiteSpeed Users Protected?
We simulated a MadeYouReset attack, and our LiteSpeed servers quickly blocked it due to the aggressiveness of the HTTP/2 behavior. Before blocking the client, LiteSpeed’s memory usage was not affected. This is mainly because of LiteSpeed’s efficient stream life cycle and memory management. Resources are promptly released when streams are reset, even in cases where a quick blocking is not triggered.
We are confident that MadeYouReset attacks cannot cause any trouble with LiteSpeed’s HTTP/2 implementation.
If you are using LiteSpeed Web Server Enterprise, LiteSpeed Web ADC, or OpenLiteSpeed, there is nothing you need to do. You are already immune to this attack.
- Learn more about the HTTP/2 MadeYouReset vulnerability at cve.org
- Get LiteSpeed Web Server
Comments