DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-8GRV-JQ2G-CFHW: MadeYouReset: Turning AMPHP's Politeness Into a DDoS Weapon

#security #cve #cybersecurity

MadeYouReset: Turning AMPHP's Politeness Into a DDoS Weapon

Vulnerability ID: GHSA-8GRV-JQ2G-CFHW
CVSS Score: 7.5
Published: 2026-02-10

A critical logic flaw in the amphp/http-server implementation of the HTTP/2 protocol allows attackers to trigger an unbounded stream of server-side resets. By rapidly opening streams and forcing the server to reset them ('MadeYouReset'), an attacker can exhaust server CPU and memory resources on a single TCP connection, effectively bypassing standard concurrency limits.

TL;DR

Attackers can trick the amphp/http-server into an infinite loop of allocating and deallocating HTTP/2 streams. By forcing the server to issue an RST_STREAM, the stream slot is freed immediately, allowing the attacker to open a new one instantly. This results in a Denial of Service (DoS) via resource exhaustion.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2025-8671
  • GHSA ID: GHSA-8GRV-JQ2G-CFHW
  • CVSS Score: 7.5 (High)
  • Attack Vector: Network (HTTP/2)
  • CWE: CWE-404 (Improper Resource Shutdown)
  • Impact: Denial of Service (DoS)

Affected Systems

  • amphp/http-server < 2.1.10
  • amphp/http-server >= 3.0.0 < 3.4.4
  • amphp/http-server: < 2.1.10 (Fixed in: 2.1.10)
  • amphp/http-server: >= 3.0.0 < 3.4.4 (Fixed in: 3.4.4)

Code Analysis

Commit: cve-202

Implementation of stream behavior window and reset ratio limits

+ private const STREAM_BEHAVIOR_WINDOW = 10;
+ private const RESET_STREAM_RATIO = 0.25;
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GHSA: MadeYouReset technique details

Mitigation Strategies

  • Implement rate limiting for stream resets (RST_STREAM) per connection.
  • Deploy HTTP/2 aware WAFs to detect rapid stream churn.
  • Monitor for high CPU usage with low network throughput.

Remediation Steps:

  1. Check current version: composer show amphp/http-server.
  2. Update package: composer update amphp/http-server.
  3. Verify version is >= 3.4.4 or >= 2.1.10.
  4. Restart the PHP service/daemon.

References

Read the full report for GHSA-8GRV-JQ2G-CFHW on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)