CVE-2025-8671_CVE-2025-8671

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.

Basic Information

ID CVE-2025-8671

Source certcc

Published Aug 13, 2025 at 12:03

Modified Aug 13, 2025 at 19:57

Affected Product

Vendor SUSE Linux

Product Enterprise Module for Development Tools

Version 15 SP2

Affected Versions SUSE Linux Enterprise Module for Development Tools 15 SP2
SUSE Linux Enterprise High Performance Computing (HPC) 15
Varnish Software Varnish Enterprise 6.0.x
Varnish Software Varnish Cache 6.0LTS
Varnish Software Varnish Cache 5.x
Fastly H20 579ecfa
Wind River Linux LTS22
SUSE Linux Enterprise Desktop 15 SP6
SUSE Linux Enterprise High Performance Computing 15 SP3
SUSE Linux Enterprise Module for Dev Tools 15 SP3
SUSE Linux Enterprise Module for Package Hub 15 SP5
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 15 SP6
SUSE Linux SUSE Manager Server 4.3
SUSE Linux SUSE Manager Server LTS 4.3
SUSE Linux SUSE Manager Proxy 4.3
SUSE Linux SUSE Manager Retail Branch Server 4.3
SUSE Linux openSUSE Leap 15.6

CWE Classification

CWE-404

References

{
    "lastseen": "",
    "description": "A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS).  By opening streams and then rapidly triggering the server to reset them\u2014using malformed frames or flow control errors\u2014an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.",
    "published": "2025-08-13T12:03:37.167Z",
    "modified": "2025-08-13T19:57:17.805Z",
    "type": "cve",
    "title": "CVE-2025-8671",
    "source": "certcc",
    "references": "https://galbarnahum.com/made-you-reset\nhttps://kb.cert.org/vuls/id/767506\nhttps://varnish-cache.org/security/VSV00017.html\nhttps://www.fastlystatus.com/incident/377810\nhttps://github.com/h2o/h2o/commit/4729b661e3c6654198d2cc62997e1af58bef4b80\nhttps://support2.windriver.com/index.php?page=security-notices\nhttps://www.suse.com/support/kb/doc/?id=000021980\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5325\nhttps://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq",
    "id": "CVE-2025-8671",
    "bulletinFamily": "",
    "cwe": [
        "CWE-404"
    ],
    "cvelist": null,
    "sourceData": "SUSE Linux Enterprise Module for Development Tools 15 SP2\nSUSE Linux Enterprise High Performance Computing (HPC) 15\nVarnish Software Varnish Enterprise 6.0.x\nVarnish Software Varnish Cache 6.0LTS\nVarnish Software Varnish Cache 5.x\nFastly H20 579ecfa\nWind River Linux LTS22\nSUSE Linux Enterprise Desktop 15 SP6\nSUSE Linux Enterprise High Performance Computing 15 SP3\nSUSE Linux Enterprise Module for Dev Tools 15 SP3\nSUSE Linux Enterprise Module for Package Hub 15 SP5\nSUSE Linux Enterprise Server 12 SP5\nSUSE Linux Enterprise Server for SAP Applications 15 SP6\nSUSE Linux SUSE Manager Server 4.3\nSUSE Linux SUSE Manager Server LTS 4.3\nSUSE Linux SUSE Manager Proxy 4.3\nSUSE Linux SUSE Manager Retail Branch Server 4.3\nSUSE Linux openSUSE Leap 15.6",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Enterprise Module for Development Tools",
    "version": "15 SP2",
    "vendor": "SUSE Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}