VYPR
High severityOSV Advisory· Published Sep 2, 2025· Updated Apr 30, 2026

Undertow: undertow madeyoureset http/2 ddos vulnerability

CVE-2025-9784

Description

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.undertow:undertow-coreMaven
< 2.2.38.Final2.2.38.Final
io.undertow:undertow-coreMaven
>= 2.3.0.Alpha1, < 2.3.20.Final2.3.20.Final

Affected products

12

Patches

Vulnerability mechanics

References

24

News mentions

0

No linked articles in our index yet.