How to fix CVE-2025-9784?

Within 24 hours: Inventory all systems running Red Hat JBoss Enterprise Application Platform, Fuse, and other Undertow-based products; identify internet-facing instances and assess criticality. Within 7 days: Implement network-level rate limiting and WAF rules to detect/block HTTP/2 stream reset abuse patterns; consider disabling HTTP/2 if operationally feasible as a temporary measure. Within 30 days: Monitor Red Hat security advisories for patch availability; test patches in non-production environments and prepare deployment plan for critical systems; evaluate load balancer/reverse proxy configurations to add stream reset detection and throttling.

Is Jboss Enterprise Application Platform Expansion Pack affected by CVE-2025-9784?

A vulnerability in Undertow (used in Red Hat JBoss and middleware products) allows unauthenticated attackers to trigger denial-of-service attacks by exploiting HTTP/2 stream handling without detection.

CVE-2025-9784

HIGH

2025-09-02 [email protected]

GHSA-95h4-w6j8-2rp8

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 18, 2026 - 16:22 vuln.today

CVE Published

Sep 02, 2025 - 14:15 nvd

HIGH 7.5

Description

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

Analysis

Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware products, contains a vulnerability that allows attackers to trigger server-side HTTP/2 stream resets without incrementing abuse counters. This 'MadeYouReset' attack enables remote unauthenticated attackers to cause denial of service by repeatedly forcing the server to abort streams and perform unnecessary cleanup work. With an EPSS score of 1.17% (78th percentile), exploitation probability is moderate but rising, and patches have been released across multiple Red Hat product lines as of early 2025.

Technical Context

Undertow is a lightweight, high-performance Java web server that provides both blocking and non-blocking APIs, commonly embedded in Red Hat JBoss Enterprise Application Platform versions 7.0.0 and 8.0.0, Red Hat Fuse 7.0.0, Single Sign-On 7.0, and other middleware products. The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling), where the HTTP/2 implementation fails to properly track and limit malformed client requests that cause server-initiated stream resets. Unlike legitimate RST_STREAM frames from clients, these server-side resets triggered by crafted malformed requests bypass abuse detection mechanisms, allowing attackers to exhaust server resources through repeated stream abort cycles without being rate-limited or blocked.

Affected Products

The vulnerability affects Red Hat Undertow across multiple product families. Confirmed affected products include Red Hat JBoss Enterprise Application Platform 7.0.0 and 8.0.0 (cpe:2.3:a:redhat:jboss_enterprise_application_platform), Red Hat Fuse 7.0.0 (cpe:2.3:a:redhat:fuse:7.0.0), Red Hat Single Sign-On 7.0 (cpe:2.3:a:redhat:single_sign-on:7.0), Red Hat Process Automation 7.0 (cpe:2.3:a:redhat:process_automation:7.0), Red Hat Build of Apache Camel for Spring Boot (cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot), JBoss EAP Expansion Pack, and base Undertow library installations (cpe:2.3:a:redhat:undertow). The issue also impacts Red Hat Enterprise Linux 8.0 and 9.0 when running affected middleware components. Undertow versions prior to 2.2.38.Final are vulnerable. Full details are available in Red Hat's security advisory at https://access.redhat.com/security/cve/CVE-2025-9784 and the upstream fix at https://github.com/undertow-io/undertow/releases/tag/2.2.38.Final.

Remediation

Upgrade to Undertow version 2.2.38.Final or later, which implements proper abuse counters for server-initiated stream resets as documented in GitHub pull request https://github.com/undertow-io/undertow/pull/1778. Red Hat customers should apply the relevant security updates through their product-specific advisories: RHSA-2026:0383, RHSA-2026:0384, RHSA-2026:0386 for JBoss EAP; RHSA-2026:3889, RHSA-2026:3891, RHSA-2026:3892 for additional middleware components; and RHSA-2026:4915, RHSA-2026:4916, RHSA-2026:4917, RHSA-2026:4924 for platform-specific patches, all accessible via https://access.redhat.com/errata/. Until patching is completed, implement network-level rate limiting on HTTP/2 connections, deploy web application firewalls configured to detect abnormal stream reset patterns, and consider temporarily disabling HTTP/2 in favor of HTTP/1.1 for critical services if DoS attacks are observed. Monitor server logs for excessive RST_STREAM activity and configure connection limits per client IP address.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +1.2

CVSS: +38

POC: 0

Vendor Status

CVE-2025-9784 vulnerability details – vuln.today

Back

CVE-2025-9784

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-9784

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code