CVE-2025-9784 Overview
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
Critical Impact
Attackers can exhaust server resources by repeatedly sending malformed requests that bypass abuse detection, leading to service unavailability for legitimate users.
Affected Products
- Red Hat Undertow
- Red Hat JBoss Enterprise Application Platform 7.0.0 and 8.0.0
- Red Hat Build of Apache Camel for Spring Boot
- Red Hat Fuse 7.0.0
- Red Hat Single Sign-On 7.0
- Red Hat Process Automation 7.0
- Red Hat JBoss Enterprise Application Platform Expansion Pack
- Red Hat Enterprise Linux 8.0 and 9.0
Discovery Timeline
- 2025-09-02 - CVE-2025-9784 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2025-9784
Vulnerability Analysis
This vulnerability exploits a weakness in how Undertow handles malformed HTTP/2 client requests. The "MadeYouReset" attack takes advantage of the fact that when the server encounters certain malformed requests, it initiates a stream reset (RST_STREAM frame) without incrementing the abuse counters designed to detect and mitigate such behavior. This allows an attacker to continuously trigger server-side resource consumption without being flagged as abusive.
The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-404 (Improper Resource Shutdown or Release), reflecting the core issue: the server allocates resources to process streams that are then aborted, but fails to properly track this pattern as potential abuse.
Root Cause
The root cause lies in Undertow's stream management implementation. When processing HTTP/2 streams, the server performs initial validation and resource allocation before fully parsing the request. If the request is malformed in a specific way, the server triggers a reset without updating abuse detection counters. This creates a gap in the protection mechanism where attackers can repeatedly exploit this behavior to consume server resources—including CPU cycles, memory for stream state management, and network bandwidth—without triggering rate limiting or connection termination.
Attack Vector
The attack is executed remotely over the network without requiring authentication or user interaction. An attacker establishes an HTTP/2 connection to a vulnerable Undertow server and sends specially crafted malformed requests designed to trigger server-side stream resets. By rapidly repeating this process across multiple streams within the same connection or across multiple connections, the attacker can exhaust server resources and degrade service availability.
The attack is particularly effective because it exploits the HTTP/2 multiplexing capability, allowing many streams to be opened and reset within a single connection. This amplifies the resource consumption while making traditional connection-based rate limiting less effective.
Detection Methods for CVE-2025-9784
Indicators of Compromise
- Abnormally high rate of RST_STREAM frames being sent by the server
- Increased CPU and memory utilization on Undertow-based application servers without corresponding legitimate traffic increase
- Elevated number of HTTP/2 stream errors in server logs
- Pattern of rapid stream creation followed by immediate resets from specific client IP addresses
Detection Strategies
- Monitor HTTP/2 connection statistics for unusual ratios of successful requests to stream resets
- Implement network-level detection rules to identify clients generating excessive malformed HTTP/2 frames
- Configure log aggregation to alert on sudden spikes in stream reset events
- Deploy application performance monitoring to detect resource exhaustion patterns correlating with specific client connections
Monitoring Recommendations
- Enable detailed HTTP/2 protocol logging on Undertow instances to capture stream lifecycle events
- Set up alerts for CPU and memory thresholds on servers running affected products
- Monitor network traffic for anomalous HTTP/2 patterns using intrusion detection systems
- Review CERT Vulnerability Entry 767506 for additional detection guidance
How to Mitigate CVE-2025-9784
Immediate Actions Required
- Apply the latest security patches from Red Hat for all affected products immediately
- Review and apply the fix from Undertow Release 2.2.38.Final
- Implement network-level rate limiting on HTTP/2 connections as a temporary protective measure
- Consider deploying a web application firewall (WAF) capable of inspecting HTTP/2 traffic for malformed requests
Patch Information
Red Hat has released multiple security advisories addressing this vulnerability across affected products. Organizations should apply patches according to their specific deployment:
- RHSA-2025:23143 - Initial security advisory
- RHSA-2026:0383, RHSA-2026:0384, RHSA-2026:0386 - Additional patches
- RHSA-2026:3889, RHSA-2026:3891, RHSA-2026:3892 - Platform-specific fixes
- RHSA-2026:4915, RHSA-2026:4916, RHSA-2026:4917, RHSA-2026:4924 - Latest updates
The fix is also available via GitHub Undertow Pull Request 1778. For detailed tracking, refer to Red Hat Issue UNDERTOW-2598 and Bugzilla Report 2392306.
Workarounds
- Implement connection rate limiting at the load balancer or reverse proxy level to restrict the number of HTTP/2 connections per client IP
- Configure maximum concurrent streams per connection to lower values to reduce the attack surface
- Deploy upstream reverse proxies that can normalize HTTP/2 traffic before it reaches Undertow servers
- Consider temporarily disabling HTTP/2 and falling back to HTTP/1.1 in critical environments until patches can be applied
# Example: Configure connection limits in standalone.xml for JBoss EAP
# Add or modify the http-listener configuration
# Set max-connections and max-concurrent-requests to appropriate values
# For Undertow subsystem configuration:
# /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=max-connections,value=200)
# /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=max-concurrent-requests,value=100)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
