Bug 2388252 (CVE-2025-55163)

Summary: CVE-2025-55163 netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abrianik, anstephe, aprice, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, caswilli, ccranfor, cdewolf, chfoley, clement.escoffier, cmah, dandread, darran.lofthouse, dbruscin, dhanak, dkreling, dnakabaa, dosoudil, drosa, dsimansk, eaguilar, ebaron, eric.wittmann, fjuma, fmariani, fmongiar, ggrzybek, gmalinko, gsmet, gtanzill, ibek, istudens, ivassile, iweiss, janstey, jbuscemi, jcantril, jkoehler, jmartisk, jnethert, joehler, jolong, jpechane, jpoth, jrokos, jsamir, jscholz, kaycoth, kgaikwad, kholdawa, kingland, kvanderr, kverlaen, lcouzens, lgao, lphiri, lthon, manderse, matzew, mnovotny, mosmerov, mposolda, mskarbek, msochure, msvehla, nipatil, nwallace, oezr, olubyans, pantinor, parichar, pbizzarr, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rguimara, rkubis, rojacob, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, ssilvert, sthirugn, sthorger, swoodman, tasato, tcunning, tom.jenkinson, tqvarnst, vkrizan, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2388301    
Bug Blocks:    

Description OSIDB Bzimport 2025-08-13 15:02:21 UTC 
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
Comment 2 errata-xmlrpc 2025-08-20 19:33:34 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.10 for Quarkus 3.20

Via RHSA-2025:14197 https://access.redhat.com/errata/RHSA-2025:14197
Comment 3 errata-xmlrpc 2025-08-28 18:38:45 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9

Via RHSA-2025:14911 https://access.redhat.com/errata/RHSA-2025:14911
Comment 4 errata-xmlrpc 2025-09-03 02:15:23 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:14919 https://access.redhat.com/errata/RHSA-2025:14919
Comment 6 errata-xmlrpc 2025-09-11 15:17:03 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.2

Via RHSA-2025:15697 https://access.redhat.com/errata/RHSA-2025:15697
Comment 7 errata-xmlrpc 2025-09-22 21:48:14 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 3.0.1

Via RHSA-2025:16407 https://access.redhat.com/errata/RHSA-2025:16407
Comment 8 errata-xmlrpc 2025-10-02 14:54:04 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1.0

Via RHSA-2025:17299 https://access.redhat.com/errata/RHSA-2025:17299
Comment 9 errata-xmlrpc 2025-10-02 14:55:24 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9
  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8

Via RHSA-2025:17298 https://access.redhat.com/errata/RHSA-2025:17298
Comment 10 errata-xmlrpc 2025-10-02 17:34:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0.9

Via RHSA-2025:17318 https://access.redhat.com/errata/RHSA-2025:17318
Comment 11 errata-xmlrpc 2025-10-02 17:35:54 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2025:17317 https://access.redhat.com/errata/RHSA-2025:17317