13 August 2025, 12:10 UTC

On the 13th of May 2025, Fastly received a pre-release report detailing a distributed denial of service (DDoS) vulnerability called MadeYouReset (CVE-2025-8671). Fastly implemented a fix for this vulnerability in release 25.17 of Fastly’s internal fork of H2O. The fix was deployed and fully implemented across Fastly on the 2nd of June 2025.

Vulnerability Details

The MadeYouReset vulnerability (CVE-2025-8671) was publicly disclosed on the 13th of August, 2025. This vulnerability exploits the same HTTP/2 protocol implementation flaw that was used in Rapid Reset (CVE-2023-44487). The MadeYouReset vulnerability existed in the upstream H2O repository and also in Fastly’s forked version of H2O. In addition to ensuring our forked version of H2O was patched, Fastly Engineering coordinated with the original vulnerability researcher to proactively patch the upstream repository and resolved the core issue. This ensured the fix is available across all environments that rely on the open source implementation of H2O.

For more information about this vulnerability and its upstream fix in H2O, please see: 

• Vulnerability Report 

• H2O Pull Request with Fix 

• H2O Security Advisory 

What’s next? What do I have to do?

No customer action is required. The fix has been applied across Fastly. 

Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.