CVE-2025-9784HIGHCVSS 7.5

Undertow MadeYouReset HTTP/2 DDoS Vulnerability

Published Sep 2, 2025·Updated Jun 30, 2026

Description

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

Affected Packages (1)

io.undertow:undertow-coreMAVEN
Fixed in 2.2.38.Final

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free