HIGH 7.5
GHSA-95h4-w6j8-2rp8
Undertow MadeYouReset HTTP/2 DDoS Vulnerability
Details
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / io.undertow:undertow-core
Introduced in:
0 Fixed in: 2.2.38.Final Fix
# pom.xml: bump <version>2.2.38.Final</version> for io.undertow:undertow-core Maven / io.undertow:undertow-core
Introduced in:
2.3.0.Alpha1 Fixed in: 2.3.20.Final Fix
# pom.xml: bump <version>2.3.20.Final</version> for io.undertow:undertow-core References
- https://nvd.nist.gov/vuln/detail/CVE-2025-9784 [ADVISORY]
- https://github.com/undertow-io/undertow/pull/1805 [WEB]
- https://github.com/undertow-io/undertow/pull/1804 [WEB]
- https://github.com/undertow-io/undertow/pull/1803 [WEB]
- https://github.com/undertow-io/undertow/pull/1802 [WEB]
- https://github.com/undertow-io/undertow/pull/1778 [WEB]
- https://www.kb.cert.org/vuls/id/767506 [WEB]
- https://kb.cert.org/vuls/id/767506 [WEB]
- https://issues.redhat.com/browse/UNDERTOW-2598 [WEB]
- https://github.com/undertow-io/undertow/releases/tag/2.2.38.Final [WEB]
- https://github.com/undertow-io/undertow [PACKAGE]
- https://bugzilla.redhat.com/show_bug.cgi?id=2392306 [WEB]
- https://access.redhat.com/security/cve/CVE-2025-9784 [WEB]
- https://access.redhat.com/errata/RHSA-2026:4924 [WEB]
- https://access.redhat.com/errata/RHSA-2026:4917 [WEB]
- https://access.redhat.com/errata/RHSA-2026:4916 [WEB]
- https://access.redhat.com/errata/RHSA-2026:4915 [WEB]
- https://access.redhat.com/errata/RHSA-2026:3892 [WEB]
- https://access.redhat.com/errata/RHSA-2026:3891 [WEB]
- https://access.redhat.com/errata/RHSA-2026:3889 [WEB]
- https://access.redhat.com/errata/RHSA-2026:33372 [WEB]
- https://access.redhat.com/errata/RHSA-2026:33371 [WEB]
- https://access.redhat.com/errata/RHSA-2026:0386 [WEB]
- https://access.redhat.com/errata/RHSA-2026:0384 [WEB]
- https://access.redhat.com/errata/RHSA-2026:0383 [WEB]
- https://access.redhat.com/errata/RHSA-2025:23143 [WEB]