A flaw was found in Undertow where malformed client requests can trigger server‑side stream resets without triggering abuse counters. The issue, called the “MadeYouReset” attack, lets malicious clients repeatedly cause stream aborts that consume significant server resources, effectively exhausting processing capacity and violating availability. This is not a protocol error but an implementation weakness that allows an attacker to force the server into a costly state without triggering normal countermeasures.

The vulnerability affects Red Hat products that embed Undertow. All affected releases include Red Hat Enterprise Linux 10, 9, and 8; Red Hat JBoss Enterprise Application Platform 7.4 (including the ELS variants on RHEL 7, 8, 9); Red Hat JBoss Enterprise Application Platform 8.0, 8.1 (and their corresponding ELS variants for RHEL 8 and 9); Red Hat JBoss Enterprise Application Platform 8 (generic); Red Hat JBoss Enterprise Application Platform Expansion Pack; Red Hat Data Grid 8; Red Hat Fuse 7; Red Hat Process Automation 7; Red Hat Single Sign‑On 7; and the Red Hat build of Apache Camel – HawtIO 4 as well as the Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8. The flaw is present in all these releases until the 2.2.38.Final Undertow update or later.

The CVSS score is 7.5 and the EPSS score of 2 % indicates a moderate likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, but its high impact and network‑based attack vector (HTTP/2 client requests) make it a significant risk. An attacker can trigger the issue from any network position that can communicate with the Undertow server; no authentication or special privileges are required. The lack of abuse counters means repeated resets can be sent at line speed without detection, leading to sustained denial of service.