CVE-2025-9784

Description

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

Affected packages (2)

• Debian/undertowfrom 0, < 2.3.20-1
• Maven/io.undertow:undertow-corefrom 0, < 2.2.38.Final

CVSS scores

References (25)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-9784
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-9784
• PATCHhttps://github.com/undertow-io/undertow
• WEBhttps://access.redhat.com/errata/RHSA-2025:23143
• WEBhttps://access.redhat.com/errata/RHSA-2026:0383
• WEBhttps://access.redhat.com/errata/RHSA-2026:0384
• WEBhttps://access.redhat.com/errata/RHSA-2026:0386
• WEBhttps://access.redhat.com/errata/RHSA-2026:3889
• WEBhttps://access.redhat.com/errata/RHSA-2026:3891
• WEBhttps://access.redhat.com/errata/RHSA-2026:3892
• WEBhttps://access.redhat.com/errata/RHSA-2026:4915
• WEBhttps://access.redhat.com/errata/RHSA-2026:4916
• WEBhttps://access.redhat.com/errata/RHSA-2026:4917
• WEBhttps://access.redhat.com/errata/RHSA-2026:4924
• WEBhttps://access.redhat.com/security/cve/CVE-2025-9784
• WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2392306
• WEBhttps://github.com/undertow-io/undertow/pull/1778
• WEBhttps://github.com/undertow-io/undertow/pull/1802
• WEBhttps://github.com/undertow-io/undertow/pull/1803
• WEBhttps://github.com/undertow-io/undertow/pull/1804
• WEBhttps://github.com/undertow-io/undertow/pull/1805
• WEBhttps://github.com/undertow-io/undertow/releases/tag/2.2.38.Final
• WEBhttps://issues.redhat.com/browse/UNDERTOW-2598
• WEBhttps://kb.cert.org/vuls/id/767506
• WEBhttps://www.kb.cert.org/vuls/id/767506