A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
History

Tue, 02 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Tue, 02 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-404

Tue, 02 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 02 Sep 2025 13:45:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
Title undertow: Undertow MadeYouReset HTTP/2 DDoS Vulnerability Undertow: undertow madeyoureset http/2 ddos vulnerability
First Time appeared Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
CPEs cpe:/a:redhat:apache_camel_hawtio:4
cpe:/a:redhat:camel_spring_boot:4
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
References

Mon, 01 Sep 2025 12:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title undertow: Undertow MadeYouReset HTTP/2 DDoS Vulnerability
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-09-02T14:40:05.123Z

Reserved: 2025-09-01T06:33:05.239Z

Link: CVE-2025-9784

cve-icon Vulnrichment

Updated: 2025-09-02T13:59:07.537Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-09-02T14:15:36.593

Modified: 2025-09-02T15:55:25.420

Link: CVE-2025-9784

cve-icon Redhat

Severity : Important

Publid Date: 2025-09-01T06:21:54Z

Links: CVE-2025-9784 - Bugzilla

cve-icon OpenCVE Enrichment

No data.