F5 Networks has disclosed a brand new HTTP/2 vulnerability affecting a number of BIG-IP merchandise that would permit distant attackers to launch denial-of-service assaults towards company networks.
The safety flaw, designated CVE-2025-54500 and dubbed the “HTTP/2 MadeYouReset Assault,” was printed on August 13, 2025, with updates launched on August 15.
The vulnerability exploits malformed HTTP/2 management frames to overwhelm methods and has been assigned a medium severity ranking with CVSS scores of 5.3 (v3.1) and 6.9 (v4.0).
HTTP/2 Protocol Exploit Uncovered
The newly found vulnerability represents a big implementation flaw in how F5 merchandise deal with HTTP/2 communications.
Safety researchers have recognized that attackers can manipulate malformed HTTP/2 management frames to interrupt the utmost concurrent streams restrict, successfully bypassing built-in protocol safeguards.
The assault methodology permits distant, unauthenticated attackers to trigger substantial will increase in CPU utilization, probably main to finish denial of service on affected BIG-IP methods.
Key traits of this vulnerability embrace:
Assault Sort: HTTP/2 MadeYouReset Assault utilizing malformed management frames.
Authentication Required: None – distant, unauthenticated exploitation doable.
Major Impression: CPU useful resource exhaustion resulting in denial of service.
Classification: CWE-770 (Allocation of Assets With out Limits or Throttling).
Publicity Degree: Knowledge aircraft solely, no management aircraft compromise.
F5 Inside IDs: 1937817 (BIG-IP), 1937817-5 (BIG-IP Subsequent), 1937817-6 (Subsequent SPK/CNF/K8s).
What makes this vulnerability notably regarding is its classification underneath CWE-770: Allocation of Assets With out Limits or Throttling, indicating that the assault exploits methods’ incapability to correctly handle useful resource allocation.
Importantly, that is categorized as a knowledge aircraft challenge solely, that means there isn’t a management aircraft publicity, which limits the potential for extra extreme system compromises.
F5 Merchandise Extensively Affected
The vulnerability impacts an in depth vary of F5 merchandise, with BIG-IP methods bearing the brunt of the affect. Weak variations embrace BIG-IP 17.x (variations 17.5.0-17.5.1 and 17.1.0-17.1.2), BIG-IP 16.x (variations 16.1.0-16.1.6), and BIG-IP 15.x (variations 15.1.0-15.1.10).
F5 has launched engineering hotfixes for the 17.x and 16.x branches, particularly Hotfix-BIGIP-17.5.1.0.80.7-ENG.iso and Hotfix-BIGIP-17.1.2.2.0.259.12-ENG.iso for the 17.x collection, and Hotfix-BIGIP-16.1.6.0.27.3-ENG.iso for the 16.x collection.
BIG-IP Subsequent merchandise are additionally affected, together with variations 20.3.0 and varied SPK, CNF, and Kubernetes implementations.
Nevertheless, a number of F5 merchandise stay unaffected, together with BIG-IQ Centralized Administration, F5 Distributed Cloud companies, NGINX merchandise, F5OS methods, and F5 AI Gateway. F5 Silverline companies are susceptible solely when HTTP/2 enabled proxy configurations are in use.
F5 strongly recommends instant implementation of accessible hotfixes for affected methods, whereas acknowledging that engineering hotfixes don’t endure the intensive high quality assurance testing of standard releases.
For organizations unable to right away apply patches, F5 suggests a number of mitigation methods. The first advice is disabling HTTP/2 and reverting to HTTP the place configurations permit this variation.
Extra mitigation choices embrace implementing BIG-IP ASM/Superior WAF DoS safety profiles with TPS and stress-based attributes, together with Behavioral DoS Detection and Mitigation capabilities.
For BIG-IP Subsequent SPK, CNF, and Kubernetes deployments, directors can delete the F5SPKIngressHTTP2 Customized Useful resource the place doable.
System directors ought to monitor HTTP/2 profile statistics, looking forward to unusually excessive numbers of RST_STREAM frames despatched and WINDOW_UPDATE frames obtained, which can point out energetic exploitation makes an attempt.
F5 acknowledges safety researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel for locating and responsibly disclosing this vulnerability.
Increase your SOC and assist your workforce shield your enterprise with free top-notch menace intelligence: Request TI Lookup Premium Trial.
