CVE-2025-9784

Summary

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

Affected Software

VendorProductVersion RangeStatus
0 < 2.2.38.Finalaffected
Red HatRed Hat JBoss Enterprise Application Platform2.2.39.Final-redhat-00001 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 70:1.4.18-21.SP19_redhat_00001.1.ep7.el7 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 70:2.0.41-8.SP9_redhat_00001.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 70:2.2.39-1.Final_redhat_00001.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 70:7.4.24-4.GA_redhat_00002.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 80:2.2.39-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 80:7.4.24-4.GA_redhat_00002.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 90:2.2.39-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 90:7.4.24-4.GA_redhat_00002.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:1.83.0-1.redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:33.0.0-2.jre_redhat_00003.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:4.0.6-1.redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:1.0.0-3.redhat_00009.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:2.0.2-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:2.3.23-1.SP3_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:1.83.0-1.redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:33.0.0-2.jre_redhat_00003.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:4.0.6-1.redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:1.0.0-3.redhat_00009.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:2.0.2-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:2.3.23-1.SP3_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:4.0.10-1.redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:1.82.0-1.redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:801.3.0-1.GA_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:1.0.1-3.redhat_00003.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:6.6.36-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:4.0.2-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:2.5.0-1.redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:2.3.20-2.SP4_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:8.1.3-4.GA_redhat_00006.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:5.0.12-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:2.6.6-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:8.1.1-4.GA_redhat_00007.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:4.0.10-1.redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:1.82.0-1.redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:801.3.0-1.GA_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:1.0.1-3.redhat_00003.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:6.6.36-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:4.0.2-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:2.5.0-1.redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:2.3.20-2.SP4_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:8.1.3-4.GA_redhat_00006.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:5.0.12-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:2.6.6-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:8.1.1-4.GA_redhat_00007.1.el9eap < *unaffected

Weaknesses

  • CWE-770: Allocation of Resources Without Limits or Throttling

Workarounds

No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References