VYPR
← All advisories
High severityOSV Advisory· Published Sep 2, 2025· Updated Apr 30, 2026

Undertow: undertow madeyoureset http/2 ddos vulnerability

CVE-2025-9784

Description

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Undertow's failure to track repeated stream resets from malformed requests enables a "MadeYouReset" DoS attack.

Vulnerability

Description

CVE-2025-9784 describes a denial of service (DoS) vulnerability in Undertow, an embeddable web server. The flaw, dubbed the "MadeYouReset" attack, arises because the server does not increment abuse counters when handling malformed client requests that trigger server-side stream resets [1][2]. While this is not a protocol-level bug, it exposes a common implementation weakness in the handling of HTTP/2 or similar stream-based connections where rapid resets can be exploited.

Exploitation

An unauthenticated attacker with network access to the Undertow server can repeatedly send crafted requests that cause the server to abort streams internally [3][4]. Because the server fails to register these events in its abuse counter mechanism, there is no throttling or back-pressure applied. The attacker can therefore send a high rate of such requests without being blocked.

Impact

Successful exploitation forces the Undertow server to expend resources processing each reset, leading to excessive CPU and/or memory consumption. Over time, this can degrade performance or completely exhaust server resources, resulting in a denial of service for legitimate clients. The attack does not require any special privileges or knowledge of the internal state beyond the ability to deliver network packets.

Mitigation

Red Hat has released updated packages for Red Hat Enterprise Linux and Red Hat JBoss Enterprise Application Platform (EAP) via RHSA-2026:0384, RHSA-2026:0383, RHSA-2026:3891, and RHSA-2026:3889 to address this flaw [1][2][3][4]. Administrators should apply the relevant updates to ensure the abuse counter mechanism properly tracks and limits stream resets.

References
  1. https://access.redhat.com/errata/RHSA-2026:0384
  2. https://access.redhat.com/errata/RHSA-2026:0383
  3. https://access.redhat.com/errata/RHSA-2026:3891
  4. https://access.redhat.com/errata/RHSA-2026:3889

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.undertow:undertow-coreMaven
< 2.2.38.Final2.2.38.Final
io.undertow:undertow-coreMaven
>= 2.3.0.Alpha1, < 2.3.20.Final2.3.20.Final

Affected products

2
  • Undertow Io/UndertowOSV2 versions
    1.0.0.Alpha1, 1.0.0.Alpha10, 1.0.0.Alpha11, …+ 1 more
    • (no CPE)range: 1.0.0.Alpha1, 1.0.0.Alpha10, 1.0.0.Alpha11, …
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

24

News mentions

0

No linked articles in our index yet.