Salvatore: lighttpd is not directly vulnerable to HTTP/2 MadeYouReset As published in https://kb.cert.org/vuls/id/767506 > Vendor Statement > > lighttpd is not directly vulnerable to HTTP/2 MadeYouReset. lighttpd tracks > request streams with connections to backends, makes a single request on each > backend socket connection, and closes the socket (or kill()s the CGI) when > the request stream is reset.
On Fri, Aug 15, 2025 at 06:09:43AM +0200, Salvatore Bonaccorso wrote: > The following vulnerability was published for lighttpd. > CVE-2025-8671[0]: *** Please contact security at lighttpd.net prior to filing a CVE and prior to publishing a CVE. *** lighttpd 1.4.80 adds *detection* of HTTP/2 MadeYouReset so that log watchers such as fail2ban can be configured to block offending IPs. I see now that the lighttpd release notes could have been more explicit that lighttpd is not directly vulnerable to MadeYouReset, the same way that lighttpd was not directly vulnerable to Rapid Reset attacks. While lighttpd 1.4.80 will close connections to offending clients, an attacker can merely reconnect and continue the attack, so the disconnection is a small mitigation. At the end of the day, a DoS attack is a DoS attack and more effective blocks can be performed at the firewall or upstream, especially across a farm of independent lighttpd servers. Adding detection and error logging for independent lighttpd servers across a server farm is one of the reasons lighttpd 1.4.80 adds detection and logging for MadeYouReset attacks. Cheers, Glenn
