Hello httpd users, I would like to ask for clarification on whether Apache HTTP Server is affected by the publicly disclosed HTTP/2 issue “MadeYouReset” (CVE-2025-8671), and specifically whether httpd 2.4.46 or later should be considered vulnerable. [1][2]
Our observations - We are aware that Apache httpd's HTTP/2 support is implemented via mod_http2, and mod_http2 uses nghttp2 as its implementation base. [3] - The nghttp2 project discussed this CVE and indicated that nghttp2 is not affected (see nghttp2 issue #2484). [4] - However, we ran the detection tool published by one of the researchers (Gal Bar Nahum) against Apache HTTP Server 2.4.46 and 2.4.62 in “checker mode”. The tool reported that the “overflow-window” primitive appears to be applicable / detected for this target. [5] Any pointers to prior discussion, documentation, or official statements would be greatly appreciated. Thank you for your time and guidance. Best regards, Yoshihide Ito [1] CERT/CC VU#767506: https://kb.cert.org/vuls/id/767506 [2] NVD CVE-2025-8671: https://nvd.nist.gov/vuln/detail/CVE-2025-8671 [3] Apache httpd HTTP/2 guide (mod_http2 uses nghttp2): https://httpd.apache.org/docs/2.4/howto/http2.html [httpd.apache.org] [4] Tool by Gal Bar Nahum: https://github.com/galbarnahum/MadeYouReset [5] nghttp2 issue #2484: https://github.com/nghttp2/nghttp2/issues/2484
