Skip to main content

Jboss Enterprise Application Platform Expansion Pack CVE-2025-9784

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2025-09-02 secalert@redhat.com GHSA-95h4-w6j8-2rp8
7.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 16:22 vuln.today
CVE Published
Sep 02, 2025 - 14:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 45 maven packages depend on io.undertow:undertow-core (9 direct, 36 indirect)

Ecosystem-wide dependent count for version 2.3.0.Alpha1.

DescriptionCVE.org

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

AnalysisAI

Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware products, contains a vulnerability that allows attackers to trigger server-side HTTP/2 stream resets without incrementing abuse counters. This 'MadeYouReset' attack enables remote unauthenticated attackers to cause denial of service by repeatedly forcing the server to abort streams and perform unnecessary cleanup work. With an EPSS score of 1.17% (78th percentile), exploitation probability is moderate but rising, and patches have been released across multiple Red Hat product lines as of early 2025.

Technical ContextAI

Undertow is a lightweight, high-performance Java web server that provides both blocking and non-blocking APIs, commonly embedded in Red Hat JBoss Enterprise Application Platform versions 7.0.0 and 8.0.0, Red Hat Fuse 7.0.0, Single Sign-On 7.0, and other middleware products. The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling), where the HTTP/2 implementation fails to properly track and limit malformed client requests that cause server-initiated stream resets. Unlike legitimate RST_STREAM frames from clients, these server-side resets triggered by crafted malformed requests bypass abuse detection mechanisms, allowing attackers to exhaust server resources through repeated stream abort cycles without being rate-limited or blocked.

RemediationAI

Upgrade to Undertow version 2.2.38.Final or later, which implements proper abuse counters for server-initiated stream resets as documented in GitHub pull request https://github.com/undertow-io/undertow/pull/1778. Red Hat customers should apply the relevant security updates through their product-specific advisories: RHSA-2026:0383, RHSA-2026:0384, RHSA-2026:0386 for JBoss EAP; RHSA-2026:3889, RHSA-2026:3891, RHSA-2026:3892 for additional middleware components; and RHSA-2026:4915, RHSA-2026:4916, RHSA-2026:4917, RHSA-2026:4924 for platform-specific patches, all accessible via https://access.redhat.com/errata/. Until patching is completed, implement network-level rate limiting on HTTP/2 connections, deploy web application firewalls configured to detect abnormal stream reset patterns, and consider temporarily disabling HTTP/2 in favor of HTTP/1.1 for critical services if DoS attacks are observed. Monitor server logs for excessive RST_STREAM activity and configure connection limits per client IP address.

Vendor StatusVendor

Share

CVE-2025-9784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy