CVE-2025-9784: Undertow MadeYouReset HTTP/2 DDoS Vulnerability
(updated )
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the “MadeYouReset” attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
References
- access.redhat.com/security/cve/CVE-2025-9784
- bugzilla.redhat.com/show_bug.cgi?id=2392306
- github.com/advisories/GHSA-95h4-w6j8-2rp8
- github.com/undertow-io/undertow
- github.com/undertow-io/undertow/pull/1778
- github.com/undertow-io/undertow/pull/1802
- github.com/undertow-io/undertow/pull/1803
- github.com/undertow-io/undertow/pull/1804
- github.com/undertow-io/undertow/pull/1805
- issues.redhat.com/browse/UNDERTOW-2598
- nvd.nist.gov/vuln/detail/CVE-2025-9784
- www.kb.cert.org/vuls/id/767506
Code Behaviors & Features
Detect and mitigate CVE-2025-9784 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →