Skip to main content

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
7.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch released
Apr 06, 2026 - 14:30 nvd
Patch available
Analysis Generated
Mar 28, 2026 - 19:06 vuln.today
CVE Published
Aug 13, 2025 - 15:15 nvd
MEDIUM 6.9

DescriptionCVE.org

An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack).

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected products include: F5 Big-Ip Access Policy Manager, F5 Big-Ip Advanced Firewall Manager, F5 Big-Ip Advanced Web Application Firewall, F5 Big-Ip Analytics, F5 Big-Ip Application Acceleration Manager.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Set resource limits, implement rate limiting, validate input sizes.

CVE-2025-20029 HIGH
8.7 Feb 05

F5 BIG-IP contains an authenticated command injection in the iControl REST API and TMOS Shell (tmsh) save command. Authe

CVE-2025-21087 HIGH
8.9 Feb 05

When Client or Server SSL profiles are configured on a Virtual Server, or DNSSEC signing operations are in use, undisclo

CVE-2025-41433 HIGH
8.7 May 07

When a Session Initiation Protocol (SIP) message routing framework (MRF) application layer gateway (ALG) profile is conf

CVE-2025-21091 HIGH
8.7 Feb 05

When SNMP v1 or v2c are disabled on the BIG-IP, undisclosed requests can cause an increase in memory resource utilizatio

CVE-2025-36504 HIGH
8.7 May 07

When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can cause an increase i

CVE-2025-31644 HIGH
8.5 May 07

When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS

CVE-2026-22548 MEDIUM
5.9 Feb 04

BIG-IP Advanced WAF and ASM experience denial of service when processing specific requests under certain conditions, cau

CVE-2026-20732 LOW
3.1 Feb 04

Big-Ip Access Policy Manager is affected by user interface (ui) misrepresentation of critical information (CVSS 3.1).

CVE-2025-52585 HIGH
8.7 Aug 13

When a BIG-IP LTM Client SSL profile is configured on a virtual server with SSL Forward Proxy enabled and Anonymous Diff

CVE-2025-41414 HIGH
8.7 May 07

When HTTP/2 client and server profile is configured on a virtual server, undisclosed requests can cause TMM to terminate

CVE-2025-41399 HIGH
8.7 May 07

When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisclosed requests can c

CVE-2025-24320 MEDIUM
5.1 Feb 05

A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2025-54500 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy