2392306 – (CVE-2025-9784) CVE-2025-9784 undertow: Undertow MadeYouReset HTTP/2 DDoS Vulnerability

Bug 2392306 (CVE-2025-9784) - CVE-2025-9784 undertow: Undertow MadeYouReset HTTP/2 DDoS Vulnerability

Summary: CVE-2025-9784 undertow: Undertow MadeYouReset HTTP/2 DDoS Vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2025-9784
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2392309 2392308
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-01 06:34 UTC by OSIDB Bzimport
Modified:	2026-01-08 16:55 UTC (History)
CC List:	47 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:23143	None	None	None	2025-12-11 20:15:40 UTC
Red Hat Product Errata	RHSA-2026:0383	None	None	None	2026-01-08 16:54:54 UTC
Red Hat Product Errata	RHSA-2026:0384	None	None	None	2026-01-08 16:55:19 UTC
Red Hat Product Errata	RHSA-2026:0386	None	None	None	2026-01-08 16:53:59 UTC

Description OSIDB Bzimport 2025-09-01 06:34:39 UTC

HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames

Comment 1 errata-xmlrpc 2025-12-11 20:15:36 UTC

This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8

Via RHSA-2025:23143 https://access.redhat.com/errata/RHSA-2025:23143

Comment 2 errata-xmlrpc 2026-01-08 16:53:55 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1

Via RHSA-2026:0386 https://access.redhat.com/errata/RHSA-2026:0386

Comment 3 errata-xmlrpc 2026-01-08 16:54:49 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8

Via RHSA-2026:0383 https://access.redhat.com/errata/RHSA-2026:0383

Comment 4 errata-xmlrpc 2026-01-08 16:55:14 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9

Via RHSA-2026:0384 https://access.redhat.com/errata/RHSA-2026:0384

Note You need to log in before you can comment on or make changes to this bug.

abrianik
aschwart
asoldano
bbaranow
bmaxwell
boliveir
brian.stansberry
darran.lofthouse
dhanak
dkreling
dosoudil
drosa
fjuma
fmariani
ggrzybek
gmalinko
ibek
istudens
ivassile
iweiss
janstey
jpoth
jrokos
kverlaen
mnovotny
mosmerov
mposolda
msochure
msvehla
nwallace
parichar
pdelbell
pesilva
pjindal
pmackay
rmartinc
rstancel
rstepani
sausingh
smaestri
ssilvert
sthorger
tasato
tcunning
tom.jenkinson
vmuzikar
yfang