HIGH 7.5 Maven
Undertow MadeYouReset HTTP/2 DDoS Vulnerability
GHSA-95h4-w6j8-2rp8 · CVE-2025-9784
Published · Modified
Description
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-9784
- WEB https://github.com/undertow-io/undertow/pull/1805
- WEB https://github.com/undertow-io/undertow/pull/1804
- WEB https://github.com/undertow-io/undertow/pull/1803
- WEB https://github.com/undertow-io/undertow/pull/1802
- WEB https://github.com/undertow-io/undertow/pull/1778
- WEB https://www.kb.cert.org/vuls/id/767506
- WEB https://kb.cert.org/vuls/id/767506
- WEB https://issues.redhat.com/browse/UNDERTOW-2598
- WEB https://github.com/undertow-io/undertow/releases/tag/2.2.38.Final
- PACKAGE https://github.com/undertow-io/undertow
- WEB https://bugzilla.redhat.com/show_bug.cgi?id=2392306
- WEB https://access.redhat.com/security/cve/CVE-2025-9784
- WEB https://access.redhat.com/errata/RHSA-2026:4924
- WEB https://access.redhat.com/errata/RHSA-2026:4917
- WEB https://access.redhat.com/errata/RHSA-2026:4916
- WEB https://access.redhat.com/errata/RHSA-2026:4915
- WEB https://access.redhat.com/errata/RHSA-2026:3892
- WEB https://access.redhat.com/errata/RHSA-2026:3891
- WEB https://access.redhat.com/errata/RHSA-2026:3889
- WEB https://access.redhat.com/errata/RHSA-2026:0386
- WEB https://access.redhat.com/errata/RHSA-2026:0384
- WEB https://access.redhat.com/errata/RHSA-2026:0383
- WEB https://access.redhat.com/errata/RHSA-2025:23143
Ready to move
Start Securing
Free, no credit card | First findings in minutes