High severityOSV Advisory· Published Sep 2, 2025· Updated Apr 30, 2026
Undertow: undertow madeyoureset http/2 ddos vulnerability
CVE-2025-9784
Description
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | < 2.2.38.Final | 2.2.38.Final |
io.undertow:undertow-coreMaven | >= 2.3.0.Alpha1, < 2.3.20.Final | 2.3.20.Final |
Affected products
12- Range: 1.0.0.Alpha1, 1.0.0.Alpha10, 1.0.0.Alpha11, …
- osv-coords11 versionspkg:apk/chainguard/wildflypkg:apk/chainguard/wildfly-openjdk-17pkg:apk/chainguard/wildfly-openjdk-17-compatpkg:apk/chainguard/wildfly-openjdk-21pkg:apk/chainguard/wildfly-openjdk-21-compatpkg:apk/wolfi/wildflypkg:apk/wolfi/wildfly-openjdk-17pkg:apk/wolfi/wildfly-openjdk-17-compatpkg:apk/wolfi/wildfly-openjdk-21pkg:apk/wolfi/wildfly-openjdk-21-compatpkg:maven/io.undertow/undertow-core
< 38.0.0-r0+ 10 more
- (no CPE)range: < 38.0.0-r0
- (no CPE)range: < 38.0.0-r0
- (no CPE)range: < 38.0.0-r0
- (no CPE)range: < 38.0.0-r0
- (no CPE)range: < 38.0.0-r0
- (no CPE)range: < 38.0.0-r0
- (no CPE)range: < 38.0.0-r0
- (no CPE)range: < 38.0.0-r0
- (no CPE)range: < 38.0.0-r0
- (no CPE)range: < 38.0.0-r0
- (no CPE)range: < 2.2.38.Final
Patches
Vulnerability mechanics
References
24- access.redhat.com/errata/RHSA-2025:23143ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:0383ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:0384ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:0386ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3889ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3891ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3892ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:4915ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:4916ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:4917ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:4924ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-95h4-w6j8-2rp8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-9784ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-9784ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/undertow-io/undertow/pull/1778ghsaWEB
- github.com/undertow-io/undertow/pull/1802ghsaWEB
- github.com/undertow-io/undertow/pull/1803ghsaWEB
- github.com/undertow-io/undertow/pull/1804ghsaWEB
- github.com/undertow-io/undertow/pull/1805ghsaWEB
- github.com/undertow-io/undertow/releases/tag/2.2.38.FinalghsaWEB
- issues.redhat.com/browse/UNDERTOW-2598ghsaWEB
- kb.cert.org/vuls/id/767506ghsaWEB
- www.kb.cert.org/vuls/id/767506ghsaWEB
News mentions
0No linked articles in our index yet.