CVE-2025-9784

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
redhatCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
redhatbuild_of_apache_camel_for_spring_boot
-
redhatfuse
7.0.0
redhatjboss_enterprise_application_platform
7.0.0
redhatjboss_enterprise_application_platform
8.0.0
redhatjboss_enterprise_application_platform_expansion_pack
-
redhatprocess_automation
7.0
redhatsingle_sign-on
7.0
redhatundertow
-
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2025-9784
https://bugzilla.redhat.com/show_bug.cgi?id=2392306
https://github.com/undertow-io/undertow/pull/1778
https://github.com/undertow-io/undertow/releases/tag/2.2.38.Final
https://issues.redhat.com/browse/UNDERTOW-2598
https://www.kb.cert.org/vuls/id/767506