Name CVE-2025-8671 Description A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released. Source CVE (at NVD ; CERT , ENISA , LWN , oss-sec , fulldisc , Debian ELTS , Red Hat , Ubuntu , Gentoo , SUSE bugzilla /CVE , GitHub advisories /code /issues , web search , more )References DSA-6303-1
Vulnerable and fixed packages The table below lists information on source packages.
Source Package Release Version Status h2o (PTS )bullseye 2.2.5+dfsg2-6 vulnerable bookworm 2.2.5+dfsg2-7 vulnerable haproxy (PTS )bullseye 2.2.9-2+deb11u6 fixed bullseye (security) 2.2.9-2+deb11u7 fixed bookworm, bookworm (security) 2.6.12-1+deb12u3 fixed trixie 3.0.11-1+deb13u2 fixed trixie (security) 3.0.11-1+deb13u3 fixed forky, sid 3.2.19-1 fixed varnish (PTS )bullseye 6.5.1-1+deb11u3 vulnerable bullseye (security) 6.5.1-1+deb11u5 vulnerable bookworm, bookworm (security) 7.1.1-2+deb12u1 vulnerable trixie 7.7.0-3 vulnerable trixie (security) 7.7.0-3+deb13u1 fixed forky, sid 7.7.3-3 fixed
The information below is based on the following data on fixed versions.
Package Type Release Fixed Version Urgency Origin Debian Bugs h2o source (unstable) (unfixed) haproxy source (unstable) (not affected) varnish source trixie 7.7.0-3+deb13u1 DSA-6303-1 varnish source (unstable) 7.7.2-1
Notes [bookworm] - h2o <no-dsa> (Minor issue) [bullseye] - h2o <postponed> (Minor issue) - haproxy <not-affected> (Performs stream management correctly) [bookworm] - varnish <ignored> (Minor issue, too intrusive to backport) [bullseye] - varnish <ignored> (Minor issue, too intrusive to backport) https://kb.cert.org/vuls/id/767506 https://galbarnahum.com/made-you-reset https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq https://github.com/h2o/h2o/commit/579ecfaca155d1f9f12bfd0cff6086dcda4b9692 https://www.lighttpd.net/2025/8/13/1.4.80/ https://github.com/lighttpd/lighttpd1.4/commit/8442ca4c699566cdd7369e09690926f403b54fc9 (lighttpd-1.4.80)https://varnish-cache.org/security/VSV00017.html https://github.com/varnishcache/varnish-cache/commit/1aa6e49201acc64ec40b55a5482d1b26e939ff1c (varnish-7.7.2)https://github.com/varnishcache/varnish-cache/commit/f960bccb5c3558ad9c49d7d01ac689c1c614f741 (varnish-7.7.2)https://github.com/varnishcache/varnish-cache/commit/7710a5da9958d1b63720e4f6565dd1d87619d4c6 (varnish-7.7.2)https://github.com/varnishcache/varnish-cache/issues/4380 https://github.com/varnishcache/varnish-cache/commit/cfee49ee9054a238bda686666ac6e471fbbfca10 (varnish-7.7.3)Unaffected implementations not requiring code changes: https://bugs.debian.org/1111140#10 . Adds detection f HTTP/2 MadeYouReset so that logwatchers can be configured to block offending IPs. check, some projects will assign own CVEs and should then be covered under that specific CVE instead 