External risk intelligence

MadeYouReset Attack Leads to Undertow Denial of Service

CVE advisorySeverity: HIGH (CVSS 7.5)

CVE-2025-9784

Undertow is a widely used web server and embedded servlet container. Applications utilizing it frequently serve as internet-facing web endpoints, APIs, or application gateways. Because this vulnerability exists at the request handling level, it is commonly exposed wherever these services are deployed to accept external traffic.

Denial of Service

Redhat Build Of Apache Camel For Spring Boot

7.0.08.0.07.08.09.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves a flaw in Undertow, a web server component, that can be exploited through specially crafted client requests. This allows an attacker to cause excessive server workload by repeatedly triggering stream resets, potentially leading to a denial-of-service condition. The main concern is confirming relevance and exposure to this type of attack.

  • Malicious requests can overload the server.
  • Affects web servers and application gateways.
  • Confirm relevance and assess exposure to this threat.

Attack Path

How an attacker could exploit the issue

An attacker can leverage this vulnerability by sending specially crafted client requests to a vulnerable server. This can cause the server to repeatedly reset streams, overwhelming its resources. The issue lies in how the server handles malformed requests, leading to excessive workload.

  • No authentication or special privileges needed.
  • Malformed client requests trigger resets.
  • Denial of service via excessive workload.

Live Threat

Current exploitation, exposure, and threat context

Malformed client requests targeting Undertow services could trigger excessive server workload, leading to a denial-of-service condition. This occurs when the server repeatedly aborts internal streams in response to specifically crafted, albeit non-standard, client inputs. The vulnerability does not directly expose sensitive data but can disrupt service availability.

  • Service availability.
  • Excessive server workload.
  • Application denial of service.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability, which allows for denial of service through excessive stream resets, likely impacts application owners and infrastructure teams responsible for services running Undertow. The first practical step is to identify all instances of the affected technology, confirm their exposure and criticality, and then assign ownership for remediation planning.

  • Application owners should lead the response.
  • Verify external reachability and business criticality.
  • Plan coordinated remediation activities.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Undertow and where is it used?

Undertow is a flexible, high-performance web server and servlet container designed for Java applications. It is frequently embedded within larger software frameworks like Red Hat JBoss Enterprise Application Platform, Fuse, and various Spring Boot applications. Developers use it to build robust, scalable web services, APIs, and application gateways that handle incoming network traffic.

What is the vulnerability in CVE-2025-9784?

CVE-2025-9784 involves a weakness in how the server processes client requests, specifically categorized as CWE-770 (Allocation of Resources Without Limits) and CWE-404 (Improper Resource Shutdown). In plain terms, the server fails to properly limit the resources consumed when it encounters malformed requests, allowing a remote attacker to repeatedly trigger stream resets that force the server to perform excessive, unnecessary work.

How can an attacker trigger this issue?

An attacker triggers this by sending specifically crafted, malformed requests to an affected Undertow service. Because this is a handling flaw at the request level, the attacker does not need authentication or special system privileges to initiate the process. It is important to note that well-formed, standard traffic does not trigger these server-side stream resets, as the issue specifically arises from non-standard, malicious input.

Why should I care about this CVE?

You should care if your organization runs applications that rely on Undertow to handle external traffic. Halo Surface Signal notes that since Undertow often powers internet-facing web endpoints, APIs, and gateways, this vulnerability is frequently accessible wherever these services accept traffic from the open internet, putting the availability of your services at risk of a denial-of-service condition.

What are the first steps for managing this?

Begin by auditing your infrastructure to identify all services using the affected Undertow components, including embedded instances within products like JBoss or Camel. Once you have a complete inventory, assess which of these instances are reachable from the internet or high-risk network zones. After identifying critical and exposed systems, coordinate with application owners to prioritize patch management or configuration updates to stabilize service availability.

References