CVE-2025-8671
Published: 13 August 2025
Summary
CVE-2025-8671 is a high-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Isc (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-8671 is a denial-of-service vulnerability affecting certain HTTP/2 server implementations. It stems from a mismatch between HTTP/2 protocol rules for client-triggered server-sent stream resets and how some implementations track streams internally. This allows incorrect accounting of streams that the server has reset, so that protocol-level closure does not free associated backend resources.
An unauthenticated remote attacker can open streams on a single HTTP/2 connection and then rapidly force the server to reset them using malformed frames or flow-control errors. Because the server continues processing the streams despite marking them closed, the attacker can drive an unbounded number of concurrent streams, exhausting server resources and producing a denial of service. The issue carries a CVSS 7.5 score reflecting high availability impact with low attack complexity.
Public references point to patches and advisories for specific products. The h2o project published a security advisory and applied a fix in commit 4729b661, while ISC tracked the problem for BIND9 and CERT issued VU#767506; administrators should consult those sources for affected-version lists and remediation steps.
The associated EPSS score remains flat at 0.0327 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24560
Vulnerability details
A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to…
more
reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Contingency plan updates incorporate proper resource shutdown and release steps, preventing attackers from leveraging incomplete cleanup during recovery scenarios.
Mandates explicit shutdown of the network connection at session conclusion, directly addressing improper resource release.
Requires proper shutdown/release procedures that include overwriting or isolating data to block unintended transfer via reused system objects.
Procedures can mandate orderly shutdown or release of resources when failures occur, preventing improper resource handling after a fault.