Jboss Enterprise Application Platform Expansion Pack
CVE-2025-9784
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 45 maven packages depend on io.undertow:undertow-core (9 direct, 36 indirect)
Ecosystem-wide dependent count for version 2.3.0.Alpha1.
DescriptionCVE.org
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
AnalysisAI
Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware products, contains a vulnerability that allows attackers to trigger server-side HTTP/2 stream resets without incrementing abuse counters. This 'MadeYouReset' attack enables remote unauthenticated attackers to cause denial of service by repeatedly forcing the server to abort streams and perform unnecessary cleanup work. With an EPSS score of 1.17% (78th percentile), exploitation probability is moderate but rising, and patches have been released across multiple Red Hat product lines as of early 2025.
Technical ContextAI
Undertow is a lightweight, high-performance Java web server that provides both blocking and non-blocking APIs, commonly embedded in Red Hat JBoss Enterprise Application Platform versions 7.0.0 and 8.0.0, Red Hat Fuse 7.0.0, Single Sign-On 7.0, and other middleware products. The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling), where the HTTP/2 implementation fails to properly track and limit malformed client requests that cause server-initiated stream resets. Unlike legitimate RST_STREAM frames from clients, these server-side resets triggered by crafted malformed requests bypass abuse detection mechanisms, allowing attackers to exhaust server resources through repeated stream abort cycles without being rate-limited or blocked.
RemediationAI
Upgrade to Undertow version 2.2.38.Final or later, which implements proper abuse counters for server-initiated stream resets as documented in GitHub pull request https://github.com/undertow-io/undertow/pull/1778. Red Hat customers should apply the relevant security updates through their product-specific advisories: RHSA-2026:0383, RHSA-2026:0384, RHSA-2026:0386 for JBoss EAP; RHSA-2026:3889, RHSA-2026:3891, RHSA-2026:3892 for additional middleware components; and RHSA-2026:4915, RHSA-2026:4916, RHSA-2026:4917, RHSA-2026:4924 for platform-specific patches, all accessible via https://access.redhat.com/errata/. Until patching is completed, implement network-level rate limiting on HTTP/2 connections, deploy web application firewalls configured to detect abnormal stream reset patterns, and consider temporarily disabling HTTP/2 in favor of HTTP/1.1 for critical services if DoS attacks are observed. Monitor server logs for excessive RST_STREAM activity and configure connection limits per client IP address.
A flaw was found in JBoss-client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authent
Undertow HTTP server (used in WildFly, JBoss EAP) fails to validate Host headers, enabling cache poisoning, internal net
Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowin
A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authenticat
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload
A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final
A flaw was found in wildfly. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack co
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-95h4-w6j8-2rp8