F5 Addresses HTTP/2 Vulnerability That Could Lead to Large-Scale DoS Attacks

F5 Networks has disclosed a significant HTTP/2 vulnerability affecting multiple BIG-IP products, which could enable remote attackers to execute denial-of-service attacks against corporate networks. This security flaw, designated CVE-2025-54500 and referred to as the “HTTP/2 MadeYouReset Attack,” was published on August 13, 2025, with subsequent updates released on August 15. The vulnerability exploits malformed HTTP/2 control frames, overwhelming systems and resulting in a medium severity rating, with CVSS scores of 5.3 (v3.1) and 6.9 (v4.0). Researchers have identified that attackers can manipulate these malformed frames to bypass built-in protocol safeguards, leading to substantial increases in CPU usage and potentially causing complete denial of service on affected BIG-IP systems.

The vulnerability impacts a wide range of F5 products, particularly BIG-IP systems, with vulnerable versions including BIG-IP 17.x (versions 17.5.0-17.5.1 and 17.1.0-17.1.2), BIG-IP 16.x (versions 16.1.0-16.1.6), and BIG-IP 15.x (versions 15.1.0-15.1.10). F5 has released engineering hotfixes for the affected branches, including Hotfix-BIGIP-17.5.1.0.80.7-ENG.iso and Hotfix-BIGIP-16.1.6.0.27.3-ENG.iso. Additionally, BIG-IP Next products, including versions 20.3.0 and various SPK, CNF, and Kubernetes implementations, are also affected. However, several F5 products remain unaffected, such as BIG-IQ Centralised Management, F5 Distributed Cloud services, NGINX products, F5OS systems, and F5 AI Gateway. F5 Silverline services are only vulnerable when HTTP/2 enabled proxy configurations are in use. 

Categories: HTTP/2 Vulnerability, Denial-of-Service Attack, F5 BIG-IP Products 

Tags: HTTP/2, Vulnerability, Denial-of-Service, BIG-IP, CVE-2025-54500, Malformed Control Frames, CPU Resource Exhaustion, CWE-770, F5 Products, Hotfixes