CVE-2025-9784
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
| Software | From | Fixed in |
|---|---|---|
io.undertow / undertow-core
|
- | 2.2.38.Final |
|
io.undertow / undertow-core
|
2.3.0.Alpha1 | 2.3.20.Final |
| redhat / fuse | 7.0.0 | 7.0.0.x |
| redhat / jboss_enterprise_application_platform | 7.0.0 | 7.0.0.x |
| redhat / jboss_enterprise_application_platform | 8.0.0 | 8.0.0.x |
| redhat / process_automation | 7.0 | 7.0.x |
| redhat / single_sign-on | 7.0 | 7.0.x |
| redhat / enterprise_linux | 8.0 | 8.0.x |
| redhat / enterprise_linux | 9.0 | 9.0.x |
- https://access.redhat.com/security/cve/CVE-2025-9784
- https://bugzilla.redhat.com/show_bug.cgi?id=2392306
- https://github.com/undertow-io/undertow/pull/1778
- https://github.com/undertow-io/undertow/pull/1802
- https://github.com/undertow-io/undertow/pull/1803
- https://github.com/undertow-io/undertow/pull/1804
- https://github.com/undertow-io/undertow/pull/1805
- https://github.com/undertow-io/undertow/releases/tag/2.2.38.Final
- https://issues.redhat.com/browse/UNDERTOW-2598
- https://www.kb.cert.org/vuls/id/767506
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime