Versions of amphp/http-server prior to 3.4.4 for the 3.x release branch and prior to 2.1.10 for the 2.x release branch are vulnerable to the HTTP/2 "MadeYouReset" DoS attack described by CVE-2025-8671 and https://kb.cert.org/vuls/id/767506.
In versions 3.4.4 and 2.1.10, stream reset protection has been refactored to account for the number of reset streams within a sliding time window.
Note that your application must expose HTTP/2 connections directly to be affected by this vulnerability. Servers behind a proxy using HTTP/1.x such as nginx are not affected.
2.1.103.4.4Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:L5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L