Skip to main content
CVE Vulnerability Database

CVE-2025-9784: Apache Camel Spring Boot DoS Vulnerability

CVE-2025-9784 is a denial of service flaw in RedHat Build of Apache Camel for Spring Boot caused by malformed requests triggering server-side stream resets. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-9784 Overview

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

Critical Impact

Attackers can exhaust server resources by repeatedly sending malformed requests that bypass abuse detection, leading to service unavailability for legitimate users.

Affected Products

  • Red Hat Undertow
  • Red Hat JBoss Enterprise Application Platform 7.0.0 and 8.0.0
  • Red Hat Build of Apache Camel for Spring Boot
  • Red Hat Fuse 7.0.0
  • Red Hat Single Sign-On 7.0
  • Red Hat Process Automation 7.0
  • Red Hat JBoss Enterprise Application Platform Expansion Pack
  • Red Hat Enterprise Linux 8.0 and 9.0

Discovery Timeline

  • 2025-09-02 - CVE-2025-9784 published to NVD
  • 2026-03-18 - Last updated in NVD database

Technical Details for CVE-2025-9784

Vulnerability Analysis

This vulnerability exploits a weakness in how Undertow handles malformed HTTP/2 client requests. The "MadeYouReset" attack takes advantage of the fact that when the server encounters certain malformed requests, it initiates a stream reset (RST_STREAM frame) without incrementing the abuse counters designed to detect and mitigate such behavior. This allows an attacker to continuously trigger server-side resource consumption without being flagged as abusive.

The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-404 (Improper Resource Shutdown or Release), reflecting the core issue: the server allocates resources to process streams that are then aborted, but fails to properly track this pattern as potential abuse.

Root Cause

The root cause lies in Undertow's stream management implementation. When processing HTTP/2 streams, the server performs initial validation and resource allocation before fully parsing the request. If the request is malformed in a specific way, the server triggers a reset without updating abuse detection counters. This creates a gap in the protection mechanism where attackers can repeatedly exploit this behavior to consume server resources—including CPU cycles, memory for stream state management, and network bandwidth—without triggering rate limiting or connection termination.

Attack Vector

The attack is executed remotely over the network without requiring authentication or user interaction. An attacker establishes an HTTP/2 connection to a vulnerable Undertow server and sends specially crafted malformed requests designed to trigger server-side stream resets. By rapidly repeating this process across multiple streams within the same connection or across multiple connections, the attacker can exhaust server resources and degrade service availability.

The attack is particularly effective because it exploits the HTTP/2 multiplexing capability, allowing many streams to be opened and reset within a single connection. This amplifies the resource consumption while making traditional connection-based rate limiting less effective.

Detection Methods for CVE-2025-9784

Indicators of Compromise

  • Abnormally high rate of RST_STREAM frames being sent by the server
  • Increased CPU and memory utilization on Undertow-based application servers without corresponding legitimate traffic increase
  • Elevated number of HTTP/2 stream errors in server logs
  • Pattern of rapid stream creation followed by immediate resets from specific client IP addresses

Detection Strategies

  • Monitor HTTP/2 connection statistics for unusual ratios of successful requests to stream resets
  • Implement network-level detection rules to identify clients generating excessive malformed HTTP/2 frames
  • Configure log aggregation to alert on sudden spikes in stream reset events
  • Deploy application performance monitoring to detect resource exhaustion patterns correlating with specific client connections

Monitoring Recommendations

  • Enable detailed HTTP/2 protocol logging on Undertow instances to capture stream lifecycle events
  • Set up alerts for CPU and memory thresholds on servers running affected products
  • Monitor network traffic for anomalous HTTP/2 patterns using intrusion detection systems
  • Review CERT Vulnerability Entry 767506 for additional detection guidance

How to Mitigate CVE-2025-9784

Immediate Actions Required

  • Apply the latest security patches from Red Hat for all affected products immediately
  • Review and apply the fix from Undertow Release 2.2.38.Final
  • Implement network-level rate limiting on HTTP/2 connections as a temporary protective measure
  • Consider deploying a web application firewall (WAF) capable of inspecting HTTP/2 traffic for malformed requests

Patch Information

Red Hat has released multiple security advisories addressing this vulnerability across affected products. Organizations should apply patches according to their specific deployment:

The fix is also available via GitHub Undertow Pull Request 1778. For detailed tracking, refer to Red Hat Issue UNDERTOW-2598 and Bugzilla Report 2392306.

Workarounds

  • Implement connection rate limiting at the load balancer or reverse proxy level to restrict the number of HTTP/2 connections per client IP
  • Configure maximum concurrent streams per connection to lower values to reduce the attack surface
  • Deploy upstream reverse proxies that can normalize HTTP/2 traffic before it reaches Undertow servers
  • Consider temporarily disabling HTTP/2 and falling back to HTTP/1.1 in critical environments until patches can be applied
bash
# Example: Configure connection limits in standalone.xml for JBoss EAP
# Add or modify the http-listener configuration
# Set max-connections and max-concurrent-requests to appropriate values

# For Undertow subsystem configuration:
# /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=max-connections,value=200)
# /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=max-concurrent-requests,value=100)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.