CVE-2025-9784
Vulnerability Summary
Timeline
Description
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 2.23%• Percentile: 85%
Techniques & Countermeasures
- CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
- CWE-404•Improper Resource Shutdown or Release
The product does not release or incorrectly releases a resource before it is made available for re-use.
Affected Systems
- io.undertow•undertow-core
< 2.2.38.Final | ≥ 2.3.0.Alpha1, < 2.3.20.Final
- redhat•build_of_apache_camel_for_spring_boot
na
- redhat•enterprise_linux
8.0 | 9.0
- redhat•fuse
7.0.0
- redhat•jboss_enterprise_application_platform
7.0.0 | 8.0.0
- redhat•jboss_enterprise_application_platform_expansion_pack
na
- redhat•process_automation
7.0
- redhat•single_sign-on
7.0
- redhat•undertow
na
References (24)
- https://access.redhat.com/errata/RHSA-2025:23143
- https://access.redhat.com/errata/RHSA-2026:0383
- https://access.redhat.com/errata/RHSA-2026:0384
- https://access.redhat.com/errata/RHSA-2026:0386
- https://access.redhat.com/security/cve/CVE-2025-9784
- https://bugzilla.redhat.com/show_bug.cgi?id=2392306
- https://github.com/undertow-io/undertow/pull/1778
- https://github.com/undertow-io/undertow/releases/tag/2.2.38.Final
- https://issues.redhat.com/browse/UNDERTOW-2598
- https://kb.cert.org/vuls/id/767506
- https://www.kb.cert.org/vuls/id/767506
- https://nvd.nist.gov/vuln/detail/CVE-2025-9784
- https://github.com/undertow-io/undertow/pull/1805
- https://github.com/undertow-io/undertow/pull/1804
- https://github.com/undertow-io/undertow/pull/1802
- https://github.com/undertow-io/undertow/pull/1803
- https://github.com/undertow-io/undertow
- https://access.redhat.com/errata/RHSA-2026:3889
- https://access.redhat.com/errata/RHSA-2026:3891
- https://access.redhat.com/errata/RHSA-2026:3892
- https://access.redhat.com/errata/RHSA-2026:4915
- https://access.redhat.com/errata/RHSA-2026:4916
- https://access.redhat.com/errata/RHSA-2026:4917
- https://access.redhat.com/errata/RHSA-2026:4924