CVE-2025-54500 - Vulnerability Details

An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack).

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00113.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
F5	Big-ip Big-ip Access Policy Manager Big-ip Advanced Firewall Manager Big-ip Advanced Web Application Firewall Big-ip Analytics Big-ip Application Acceleration Manager Big-ip Application Security Manager Big-ip Application Visibility And Reporting Big-ip Automation Toolchain Big-ip Carrier-grade Nat Big-ip Container Ingress Services Big-ip Ddos Hybrid Defender Big-ip Domain Name System Big-ip Edge Gateway Big-ip Fraud Protection Service Big-ip Global Traffic Manager Big-ip Link Controller Big-ip Local Traffic Manager Big-ip Next Big-ip Next Central Manager Big-ip Next Cloud-native Network Functions Big-ip Next For Kubernetes Big-ip Next Service Proxy For Kubernetes Big-ip Policy Enforcement Manager Big-ip Ssl Orchestrator Big-ip Webaccelerator Big-ip Websafe Silverline

Configuration 1 [-]

OR	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_advanced_firewall_manager::::::::
	cpe:2.3:a:f5:big-ip_advanced_web_application_firewall::::::::
	cpe:2.3:a:f5:big-ip_analytics::::::::
	cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::
	cpe:2.3:a:f5:big-ip_application_security_manager::::::::
	cpe:2.3:a:f5:big-ip_application_visibility_and_reporting::::::::
	cpe:2.3:a:f5:big-ip_automation_toolchain::::::::
	cpe:2.3:a:f5:big-ip_carrier-grade_nat::::::::
	cpe:2.3:a:f5:big-ip_container_ingress_services::::::::
	cpe:2.3:a:f5:big-ip_ddos_hybrid_defender::::::::
	cpe:2.3:a:f5:big-ip_domain_name_system::::::::
	cpe:2.3:a:f5:big-ip_edge_gateway::::::::
	cpe:2.3:a:f5:big-ip_fraud_protection_service::::::::
	cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_link_controller::::::::
	cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_policy_enforcement_manager::::::::
	cpe:2.3:a:f5:big-ip_ssl_orchestrator::::::::
	cpe:2.3:a:f5:big-ip_webaccelerator::::::::
	cpe:2.3:a:f5:big-ip_websafe::::::::

Configuration 2 [-]

OR	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_advanced_firewall_manager::::::::
	cpe:2.3:a:f5:big-ip_advanced_web_application_firewall::::::::
	cpe:2.3:a:f5:big-ip_analytics::::::::
	cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::
	cpe:2.3:a:f5:big-ip_application_security_manager::::::::
	cpe:2.3:a:f5:big-ip_application_visibility_and_reporting::::::::
	cpe:2.3:a:f5:big-ip_automation_toolchain::::::::
	cpe:2.3:a:f5:big-ip_carrier-grade_nat::::::::
	cpe:2.3:a:f5:big-ip_container_ingress_services::::::::
	cpe:2.3:a:f5:big-ip_ddos_hybrid_defender::::::::
	cpe:2.3:a:f5:big-ip_domain_name_system::::::::
	cpe:2.3:a:f5:big-ip_edge_gateway::::::::
	cpe:2.3:a:f5:big-ip_fraud_protection_service::::::::
	cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_link_controller::::::::
	cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_policy_enforcement_manager::::::::
	cpe:2.3:a:f5:big-ip_ssl_orchestrator::::::::
	cpe:2.3:a:f5:big-ip_webaccelerator::::::::
	cpe:2.3:a:f5:big-ip_websafe::::::::

Configuration 3 [-]

OR	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_advanced_firewall_manager::::::::
	cpe:2.3:a:f5:big-ip_advanced_firewall_manager::::::::
	cpe:2.3:a:f5:big-ip_advanced_web_application_firewall::::::::
	cpe:2.3:a:f5:big-ip_advanced_web_application_firewall::::::::
	cpe:2.3:a:f5:big-ip_analytics::::::::
	cpe:2.3:a:f5:big-ip_analytics::::::::
	cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::
	cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::
	cpe:2.3:a:f5:big-ip_application_security_manager::::::::
	cpe:2.3:a:f5:big-ip_application_security_manager::::::::
	cpe:2.3:a:f5:big-ip_application_visibility_and_reporting::::::::
	cpe:2.3:a:f5:big-ip_application_visibility_and_reporting::::::::
	cpe:2.3:a:f5:big-ip_automation_toolchain::::::::
	cpe:2.3:a:f5:big-ip_automation_toolchain::::::::
	cpe:2.3:a:f5:big-ip_carrier-grade_nat::::::::
	cpe:2.3:a:f5:big-ip_carrier-grade_nat::::::::
	cpe:2.3:a:f5:big-ip_container_ingress_services::::::::
	cpe:2.3:a:f5:big-ip_container_ingress_services::::::::
	cpe:2.3:a:f5:big-ip_ddos_hybrid_defender::::::::
	cpe:2.3:a:f5:big-ip_ddos_hybrid_defender::::::::
	cpe:2.3:a:f5:big-ip_domain_name_system::::::::
	cpe:2.3:a:f5:big-ip_domain_name_system::::::::
	cpe:2.3:a:f5:big-ip_edge_gateway::::::::
	cpe:2.3:a:f5:big-ip_edge_gateway::::::::
	cpe:2.3:a:f5:big-ip_fraud_protection_service::::::::
	cpe:2.3:a:f5:big-ip_fraud_protection_service::::::::
	cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_link_controller::::::::
	cpe:2.3:a:f5:big-ip_link_controller::::::::
	cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_policy_enforcement_manager::::::::
	cpe:2.3:a:f5:big-ip_policy_enforcement_manager::::::::
	cpe:2.3:a:f5:big-ip_ssl_orchestrator::::::::
	cpe:2.3:a:f5:big-ip_ssl_orchestrator::::::::
	cpe:2.3:a:f5:big-ip_webaccelerator::::::::
	cpe:2.3:a:f5:big-ip_webaccelerator::::::::
	cpe:2.3:a:f5:big-ip_websafe::::::::
	cpe:2.3:a:f5:big-ip_websafe::::::::

Configuration 4 [-]

OR	cpe:2.3:a:f5:big-ip_next_central_manager:20.3.0:::::::*
	cpe:2.3:a:f5:big-ip_next_cloud-native_network_functions::::::::
	cpe:2.3:a:f5:big-ip_next_cloud-native_network_functions::::::::
	cpe:2.3:a:f5:big-ip_next_for_kubernetes:2.0.0:::::::*
	cpe:2.3:a:f5:big-ip_next_service_proxy_for_kubernetes::::::::
	cpe:2.3:a:f5:big-ip_next_service_proxy_for_kubernetes::::::::
	cpe:2.3:a:f5:silverline::::::::

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
F5	Big-ip Big-ip Next

Advisories

Source	ID	Title
EUVD	EUVD-2025-24575	An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://kb.cert.org/vuls/id/767506
https://my.f5.com/manage/s/article/K000152001
https://nvd.nist.gov/vuln/detail/CVE-2025-54500
https://www.cve.org/CVERecord?id=CVE-2025-54500
https://www.kb.cert.org/vuls/id/767506

History

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://www.kb.cert.org/vuls/id/767506

Tue, 21 Oct 2025 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		F5 big-ip Access Policy Manager F5 big-ip Advanced Firewall Manager F5 big-ip Advanced Web Application Firewall F5 big-ip Analytics F5 big-ip Application Acceleration Manager F5 big-ip Application Security Manager F5 big-ip Application Visibility And Reporting F5 big-ip Automation Toolchain F5 big-ip Carrier-grade Nat F5 big-ip Container Ingress Services F5 big-ip Ddos Hybrid Defender F5 big-ip Domain Name System F5 big-ip Edge Gateway F5 big-ip Fraud Protection Service F5 big-ip Global Traffic Manager F5 big-ip Link Controller F5 big-ip Local Traffic Manager F5 big-ip Next Central Manager F5 big-ip Next Cloud-native Network Functions F5 big-ip Next For Kubernetes F5 big-ip Next Service Proxy For Kubernetes F5 big-ip Policy Enforcement Manager F5 big-ip Ssl Orchestrator F5 big-ip Webaccelerator F5 big-ip Websafe F5 silverline
CPEs		cpe:2.3:a:f5:big-ip_access_policy_manager:::::::: cpe:2.3:a:f5:big-ip_advanced_firewall_manager:::::::: cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:::::::: cpe:2.3:a:f5:big-ip_analytics:::::::: cpe:2.3:a:f5:big-ip_application_acceleration_manager:::::::: cpe:2.3:a:f5:big-ip_application_security_manager:::::::: cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:::::::: cpe:2.3:a:f5:big-ip_automation_toolchain:::::::: cpe:2.3:a:f5:big-ip_carrier-grade_nat:::::::: cpe:2.3:a:f5:big-ip_container_ingress_services:::::::: cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:::::::: cpe:2.3:a:f5:big-ip_domain_name_system:::::::: cpe:2.3:a:f5:big-ip_edge_gateway:::::::: cpe:2.3:a:f5:big-ip_fraud_protection_service:::::::: cpe:2.3:a:f5:big-ip_global_traffic_manager:::::::: cpe:2.3:a:f5:big-ip_link_controller:::::::: cpe:2.3:a:f5:big-ip_local_traffic_manager:::::::: cpe:2.3:a:f5:big-ip_next_central_manager:20.3.0:::::::* cpe:2.3:a:f5:big-ip_next_cloud-native_network_functions:::::::: cpe:2.3:a:f5:big-ip_next_for_kubernetes:2.0.0:::::::* cpe:2.3:a:f5:big-ip_next_service_proxy_for_kubernetes:::::::: cpe:2.3:a:f5:big-ip_policy_enforcement_manager:::::::: cpe:2.3:a:f5:big-ip_ssl_orchestrator:::::::: cpe:2.3:a:f5:big-ip_webaccelerator:::::::: cpe:2.3:a:f5:big-ip_websafe:::::::: cpe:2.3:a:f5:silverline::::::::
Vendors & Products		F5 big-ip Access Policy Manager F5 big-ip Advanced Firewall Manager F5 big-ip Advanced Web Application Firewall F5 big-ip Analytics F5 big-ip Application Acceleration Manager F5 big-ip Application Security Manager F5 big-ip Application Visibility And Reporting F5 big-ip Automation Toolchain F5 big-ip Carrier-grade Nat F5 big-ip Container Ingress Services F5 big-ip Ddos Hybrid Defender F5 big-ip Domain Name System F5 big-ip Edge Gateway F5 big-ip Fraud Protection Service F5 big-ip Global Traffic Manager F5 big-ip Link Controller F5 big-ip Local Traffic Manager F5 big-ip Next Central Manager F5 big-ip Next Cloud-native Network Functions F5 big-ip Next For Kubernetes F5 big-ip Next Service Proxy For Kubernetes F5 big-ip Policy Enforcement Manager F5 big-ip Ssl Orchestrator F5 big-ip Webaccelerator F5 big-ip Websafe F5 silverline

Thu, 14 Aug 2025 06:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		F5 F5 big-ip F5 big-ip Next
Vendors & Products		F5 F5 big-ip F5 big-ip Next
References		https://kb.cert.org/vuls/id/767506 https://nvd.nist.gov/vuln/detail/CVE-2025-54500 https://www.cve.org/CVERecord?id=CVE-2025-54500
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 13 Aug 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 13 Aug 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title		HTTP/2 Vulnerability
Weaknesses		CWE-770
References		https://my.f5.com/manage/s/article/K000152001
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: f5

Published: 2025-08-13T14:46:55.097Z

Updated: 2025-11-03T20:06:30.935Z

Reserved: 2025-07-29T17:12:25.031Z

Link: CVE-2025-54500

Vulnrichment

Updated: 2025-11-03T20:06:30.935Z

NVD

Status : Modified

Published: 2025-08-13T15:15:38.547

Modified: 2025-11-03T20:19:14.407

Link: CVE-2025-54500

Redhat

Severity : Moderate

Publid Date: 2025-08-13T14:46:55Z

Links: CVE-2025-54500 - Bugzilla

OpenCVE Enrichment

Updated: 2025-08-13T21:46:59Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object