CVE-2025-54500 | THREATINT

Description

An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

PUBLISHED Reserved 2025-07-29 | Published 2025-08-13 | Updated 2025-08-13 | Assigner f5

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-770 Allocation of Resources Without Limits or Throttling

Product status

Default status

unknown

17.5.0 before *

affected

17.1.0 before *

affected

16.1.0 before *

affected

15.1.0 before *

affected

Default status

unknown

20.3.0 before *

affected

Default status

unknown

2.0.0 before *

affected

1.7.0 before *

affected

Default status

unknown

2.0.0 before *

affected

1.1.0 before *

affected

Default status

unknown

2.0.0 before *

affected

Credits

F5 acknowledges Gal Bar Nahum, Anat Bremler-Barr and Yaniv Harel for bringing this issue to our attention and following the highest standards of coordinated disclosure. reporter

References

my.f5.com/manage/s/article/K000152001 vendor-advisory

cve.org (CVE-2025-54500)

nvd.nist.gov (CVE-2025-54500)

Download JSON