Description
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
Published: 2025-09-02
Score: 7.5 High
EPSS: 1.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

Vendor Workaround

No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26388 A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
Github GHSA Github GHSA GHSA-95h4-w6j8-2rp8 Undertow MadeYouReset HTTP/2 DDoS Vulnerability
History

Wed, 18 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat jboss Enterprise Application Platform Els
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:7.4
cpe:/a:redhat:jboss_enterprise_application_platform_els:7.4::el7
cpe:/a:redhat:jboss_enterprise_application_platform_els:7.4::el8
cpe:/a:redhat:jboss_enterprise_application_platform_els:7.4::el9
Vendors & Products Redhat jboss Enterprise Application Platform Els
References

Thu, 05 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
References

Thu, 08 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8
References

Thu, 08 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9
References

Thu, 11 Dec 2025 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat apache Camel Spring Boot
CPEs cpe:/a:redhat:camel_spring_boot:4 cpe:/a:redhat:apache_camel_spring_boot:4.14
Vendors & Products Redhat camel Spring Boot
Redhat apache Camel Spring Boot
References

Mon, 08 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
References

Fri, 07 Nov 2025 22:00:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:rhivos:1
Vendors & Products Redhat rhivos

Thu, 02 Oct 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhivos
CPEs cpe:/o:redhat:rhivos:1
Vendors & Products Redhat rhivos

Wed, 24 Sep 2025 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References

Wed, 10 Sep 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Apache Camel For Spring Boot
Redhat fuse
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat process Automation
Redhat single Sign-on
Redhat undertow
CPEs cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:fuse:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:-:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Redhat build Of Apache Camel For Spring Boot
Redhat fuse
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat process Automation
Redhat single Sign-on
Redhat undertow

Tue, 02 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Tue, 02 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-404

Tue, 02 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Sep 2025 13:45:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
Title undertow: Undertow MadeYouReset HTTP/2 DDoS Vulnerability Undertow: undertow madeyoureset http/2 ddos vulnerability
First Time appeared Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
CPEs cpe:/a:redhat:apache_camel_hawtio:4
cpe:/a:redhat:camel_spring_boot:4
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
References

Mon, 01 Sep 2025 12:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title undertow: Undertow MadeYouReset HTTP/2 DDoS Vulnerability
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Subscriptions

Redhat Apache Camel Hawtio Apache Camel Spring Boot Build Of Apache Camel For Spring Boot Enterprise Linux Fuse Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Application Platform Els Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Bpms Platform Jboss Fuse Jbosseapxp Process Automation Red Hat Single Sign On Single Sign-on Undertow
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-01T11:43:10.566Z

Reserved: 2025-09-01T06:33:05.239Z

Link: CVE-2025-9784

cve-icon Vulnrichment

Updated: 2025-11-03T20:07:57.869Z

cve-icon NVD

Status : Modified

Published: 2025-09-02T14:15:36.593

Modified: 2026-03-18T16:16:24.440

Link: CVE-2025-9784

cve-icon Redhat

Severity : Important

Publid Date: 2025-09-01T06:21:54Z

Links: CVE-2025-9784 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses