CVE-2025-9784

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

Published: Sep 2, 2025
Updated: Sep 3, 2025
CVE: CVE-2025-9784
GHSA: GHSA-95h4-w6j8-2rp8
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-404

Affected Software
References

Software	From	Fixed in
io.undertow / undertow-core	-	2.3.18.final.x

https://access.redhat.com/security/cve/CVE-2025-9784
https://bugzilla.redhat.com/show_bug.cgi?id=2392306

Vulnerability Database

CVE-2025-9784