amphp/http-server affected by HTTP/2 DDoS vulnerability
Versions of amphp/http-server prior to 3.4.4 for the 3.x release branch and prior to 2.1.10 for the 2.x release branch are vulnerable to the HTTP/2 "MadeYouReset" DoS attack described by CVE-2025-8671 and https://kb.cert.org/vuls/id/767506. In versions 3.4.4 and 2.1.10, stream reset protection has been refactored to account for the number of reset streams within a sliding time window. Note that your application must expose HTTP/2 connections directly to be affected by …