CVE-2025-54500: F5 BIG-IP APM DoS Vulnerability

CVE-2025-54500 Overview

CVE-2025-54500 is a denial-of-service (DoS) vulnerability affecting F5 BIG-IP and BIG-IP Next product lines. The flaw resides in the HTTP/2 protocol implementation and is tracked as the "HTTP/2 MadeYouReset Attack." Attackers can send malformed HTTP/2 control frames that cause the server to reset streams under attacker control. This breaks the SETTINGS_MAX_CONCURRENT_STREAMS limit and allows resource exhaustion against the targeted system. The weakness is categorized as Allocation of Resources Without Limits or Throttling [CWE-770]. No authentication or user interaction is required to exploit the issue over the network.

Critical Impact

Remote unauthenticated attackers can degrade availability of HTTP/2 services across F5 BIG-IP virtual servers by abusing malformed control frames to bypass concurrent stream limits.

Affected Products

• F5 BIG-IP (LTM, APM, AFM, ASM/AWAF, Analytics, AAM, AVR, DNS, GTM, Link Controller, PEM, SSL Orchestrator, CGNAT, DDoS Hybrid Defender, Edge Gateway, WebAccelerator, WebSafe, Fraud Protection Service, Container Ingress Services, Automation Toolchain)
• F5 BIG-IP Next Central Manager 20.3.0, BIG-IP Next for Kubernetes 2.0.0, BIG-IP Next Cloud-Native Network Functions, BIG-IP Next Service Proxy for Kubernetes
• F5 Silverline

Discovery Timeline

• 2025-08-13 - CVE-2025-54500 published to NVD
• 2026-02-04 - Last updated in NVD database

Technical Details for CVE-2025-54500

Vulnerability Analysis

The MadeYouReset technique abuses the HTTP/2 stream reset mechanism. HTTP/2 allows servers to advertise a maximum number of concurrent streams per connection through the SETTINGS_MAX_CONCURRENT_STREAMS parameter. An attacker sends malformed control frames that force the server to reset streams it just opened. Because the server initiates the reset, the client-side stream counter does not increment, but the server still performs the request handling work. This lets an attacker open far more streams than the configured limit allows. The class of attack is related to the Rapid Reset family but uses server-triggered resets rather than RST_STREAM frames sent by the client.

Root Cause

The root cause is improper accounting of in-flight streams when malformed control frames trigger server-initiated resets. The HTTP/2 stack continues to allocate processing resources for requests on streams that are reset before the concurrent-stream counter reflects the true workload. This is a resource exhaustion flaw tracked under [CWE-770].

Attack Vector

The attack is delivered over the network against any HTTP/2-enabled virtual server. An unauthenticated attacker establishes an HTTP/2 connection, then transmits crafted control frames that cause the server to reset streams while still consuming CPU and memory. Repeating this pattern at high rate degrades service for legitimate clients on the affected F5 device. The vulnerability impacts availability only; confidentiality and integrity are not affected.

No verified public exploit code is available. For protocol-level details, see the CERT Vulnerability Report #767506.

Detection Methods for CVE-2025-54500

Indicators of Compromise

• High volume of HTTP/2 streams on a single connection that are reset shortly after creation by the server.
• Spikes in CPU and memory usage on BIG-IP TMM processes correlated with HTTP/2 traffic.
• Increased counts of malformed HTTP/2 control frames in TMM logs and ltm debug output.
• Unexpected drops in HTTP/2 service availability or elevated 5xx responses from virtual servers behind BIG-IP.

Detection Strategies

• Inspect HTTP/2 traffic at the protocol layer for anomalous rates of server-initiated RST_STREAM frames per connection.
• Correlate connection-level metrics with tmstat counters for HTTP/2 stream creation versus completion.
• Compare observed concurrent stream counts against the advertised SETTINGS_MAX_CONCURRENT_STREAMS value to identify breaches of the negotiated limit.

Monitoring Recommendations

• Ingest BIG-IP iHealth diagnostics and AVR HTTP/2 telemetry into a centralized analytics platform for trend analysis.
• Alert on sustained CPU saturation in TMM processes accompanied by HTTP/2 traffic from a small number of source addresses.
• Track per-source-IP HTTP/2 frame error counts and rate-limit clients that exceed established baselines.

How to Mitigate CVE-2025-54500

Immediate Actions Required

• Review the F5 Knowledge Base Article K000152001 and identify all BIG-IP and BIG-IP Next instances exposing HTTP/2 virtual servers.
• Apply the fixed software versions provided by F5 for each affected product family.
• Restrict HTTP/2 endpoints to known clients where business requirements permit, reducing the unauthenticated attack surface.

Patch Information

F5 has published remediation guidance and fixed releases in the F5 Knowledge Base Article K000152001. Software versions that have reached End of Technical Support (EoTS) are not evaluated by F5 and should be upgraded to a supported, patched release.

Workarounds

• Disable HTTP/2 profiles on affected virtual servers and fall back to HTTP/1.1 until patches are applied.
• Lower the SETTINGS_MAX_CONCURRENT_STREAMS value in the HTTP/2 profile to reduce the impact of stream amplification.
• Apply connection and request rate limits via AFM or iRules to throttle abusive HTTP/2 clients.
• Place a DDoS-aware upstream service in front of BIG-IP to filter malformed HTTP/2 control frames.