CVE-2025-9784 - Vulnerability Details

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00606.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Redhat Subscribe	Apache Camel Hawtio Subscribe Apache Camel Spring Boot Subscribe Build Of Apache Camel For Spring Boot Subscribe Enterprise Linux Subscribe Fuse Subscribe Jboss Data Grid Subscribe Jboss Enterprise Application Platform Subscribe Jboss Enterprise Application Platform Expansion Pack Subscribe Jboss Enterprise Bpms Platform Subscribe Jboss Fuse Subscribe Jbosseapxp Subscribe Process Automation Subscribe Red Hat Single Sign On Subscribe Single Sign-on Subscribe Undertow Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:-:::::::*
	cpe:2.3:a:redhat:fuse:7.0.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:::::::*
	cpe:2.3:a:redhat:process_automation:7.0:::::::*
	cpe:2.3:a:redhat:single_sign-on:7.0:::::::*
	cpe:2.3:a:redhat:undertow:-:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0::::-:::
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2025-26388	A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
Github GHSA	GHSA-95h4-w6j8-2rp8	Undertow MadeYouReset HTTP/2 DDoS Vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:23143
https://access.redhat.com/errata/RHSA-2026:0383
https://access.redhat.com/errata/RHSA-2026:0384
https://access.redhat.com/errata/RHSA-2026:0386
https://access.redhat.com/security/cve/CVE-2025-9784
https://bugzilla.redhat.com/show_bug.cgi?id=2392306
https://github.com/undertow-io/undertow/pull/1778
https://github.com/undertow-io/undertow/releases/tag/2.2.38.Final
https://issues.redhat.com/browse/UNDERTOW-2598
https://kb.cert.org/vuls/id/767506
https://nvd.nist.gov/vuln/detail/CVE-2025-9784
https://www.cve.org/CVERecord?id=CVE-2025-9784
https://www.kb.cert.org/vuls/id/767506

History

Fri, 09 Jan 2026 07:45:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8
References		https://access.redhat.com/errata/RHSA-2026:0383

Fri, 09 Jan 2026 02:15:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8 cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9
References		https://access.redhat.com/errata/RHSA-2026:0384 https://access.redhat.com/errata/RHSA-2026:0386

Fri, 12 Dec 2025 07:45:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat apache Camel Spring Boot
CPEs	~~cpe:/a:redhat:camel_spring_boot:4~~	cpe:/a:redhat:apache_camel_spring_boot:4.14
Vendors & Products	Redhat camel Spring Boot	Redhat apache Camel Spring Boot
References		https://access.redhat.com/errata/RHSA-2025:23143

Mon, 08 Dec 2025 16:45:00 +0900

Type	Values Removed	Values Added
References		https://kb.cert.org/vuls/id/767506

Sat, 08 Nov 2025 07:00:00 +0900

Type	Values Removed	Values Added
References		https://github.com/undertow-io/undertow/releases/tag/2.2.38.Final

Tue, 04 Nov 2025 05:30:00 +0900

Type	Values Removed	Values Added
References		https://www.kb.cert.org/vuls/id/767506

Wed, 08 Oct 2025 23:15:00 +0900

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:rhivos:1~~
Vendors & Products	Redhat rhivos

Fri, 03 Oct 2025 07:00:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat rhivos
CPEs		cpe:/o:redhat:rhivos:1
Vendors & Products		Redhat rhivos

Wed, 24 Sep 2025 22:45:00 +0900

Type	Values Removed	Values Added
Weaknesses		CWE-770
References		https://github.com/undertow-io/undertow/pull/1778 https://issues.redhat.com/browse/UNDERTOW-2598

Thu, 11 Sep 2025 04:00:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat build Of Apache Camel For Spring Boot Redhat fuse Redhat jboss Enterprise Application Platform Expansion Pack Redhat process Automation Redhat single Sign-on Redhat undertow
CPEs		cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:-:::::::* cpe:2.3:a:redhat:fuse:7.0.0:::::::* cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:::::::* cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:::::::* cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:::::::* cpe:2.3:a:redhat:process_automation:7.0:::::::* cpe:2.3:a:redhat:single_sign-on:7.0:::::::* cpe:2.3:a:redhat:undertow:-:::::::* cpe:2.3:o:redhat:enterprise_linux:8.0::::-::: cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*
Vendors & Products		Redhat build Of Apache Camel For Spring Boot Redhat fuse Redhat jboss Enterprise Application Platform Expansion Pack Redhat process Automation Redhat single Sign-on Redhat undertow

Wed, 03 Sep 2025 00:30:00 +0900

Type	Values Removed	Values Added
Weaknesses	CWE-400

Wed, 03 Sep 2025 00:15:00 +0900

Type	Values Removed	Values Added
Weaknesses		CWE-404

Tue, 02 Sep 2025 23:15:00 +0900

Type	Values Removed	Values Added
Weaknesses		CWE-400
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 02 Sep 2025 22:45:00 +0900

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
Title	undertow: Undertow MadeYouReset HTTP/2 DDoS Vulnerability	Undertow: undertow madeyoureset http/2 ddos vulnerability
First Time appeared		Redhat Redhat apache Camel Hawtio Redhat camel Spring Boot Redhat enterprise Linux Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jboss Enterprise Bpms Platform Redhat jboss Fuse Redhat jbosseapxp Redhat red Hat Single Sign On
CPEs		cpe:/a:redhat:apache_camel_hawtio:4 cpe:/a:redhat:camel_spring_boot:4 cpe:/a:redhat:jboss_data_grid:8 cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jboss_enterprise_bpms_platform:7 cpe:/a:redhat:jboss_fuse:7 cpe:/a:redhat:jbosseapxp cpe:/a:redhat:red_hat_single_sign_on:7 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat apache Camel Hawtio Redhat camel Spring Boot Redhat enterprise Linux Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jboss Enterprise Bpms Platform Redhat jboss Fuse Redhat jbosseapxp Redhat red Hat Single Sign On
References		https://access.redhat.com/security/cve/CVE-2025-9784 https://bugzilla.redhat.com/show_bug.cgi?id=2392306

Mon, 01 Sep 2025 21:15:00 +0900

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		undertow: Undertow MadeYouReset HTTP/2 DDoS Vulnerability
References		https://nvd.nist.gov/vuln/detail/CVE-2025-9784 https://www.cve.org/CVERecord?id=CVE-2025-9784
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Important`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-09-02T13:37:59.772Z

Updated: 2026-01-13T14:33:35.064Z

Reserved: 2025-09-01T06:33:05.239Z

Link: CVE-2025-9784

Vulnrichment

Updated: 2025-11-03T20:07:57.869Z

NVD

Status : Modified

Published: 2025-09-02T14:15:36.593

Modified: 2026-01-08T23:15:43.953

Link: CVE-2025-9784

Redhat

Severity : Important

Publid Date: 2025-09-01T06:21:54Z

Links: CVE-2025-9784 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object