CVE-2025-9784

EPSS 1.7%
Veröffentlicht 02.09.2025 13:37:59
Zuletzt bearbeitet 18.03.2026 16:16:24
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Undertow: undertow madeyoureset http/2 ddos vulnerability

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 21

NVD 10 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Build Of Apache Camel For Spring Boot Version-

Redhat ≫ Fuse Version7.0.0

Redhat ≫ Jboss Enterprise Application Platform Version7.0.0

Redhat ≫ Jboss Enterprise Application Platform Version8.0.0

Redhat ≫ Jboss Enterprise Application Platform Expansion Pack Version-

Redhat ≫ Process Automation Version7.0

Redhat ≫ Single Sign-on Version7.0

Redhat ≫ Undertow Version-

Redhat ≫ Enterprise Linux Version8.0 SwEdition-

Redhat ≫ Enterprise Linux Version9.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.7%	0.824

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-404 Improper Resource Shutdown or Release

The product does not release or incorrectly releases a resource before it is made available for re-use.

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://kb.cert.org/vuls/id/767506

https://access.redhat.com/security/cve/CVE-2025-9784

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2392306

Issue Tracking

https://github.com/undertow-io/undertow/pull/1778

https://issues.redhat.com/browse/UNDERTOW-2598

https://www.kb.cert.org/vuls/id/767506

https://github.com/undertow-io/undertow/releases/tag/2.2.38.Final

https://access.redhat.com/errata/RHSA-2025:23143

https://access.redhat.com/errata/RHSA-2026:0384

https://access.redhat.com/errata/RHSA-2026:0386