Listen to this Post
The CVE-2025-45724 vulnerability, dubbed “MadeYouReset,” exploits a weakness in the Undertow server’s HTTP/2 stream management. A malicious client can craft a series of specific, malformed HTTP/2 requests. Upon receiving each request, the server initiates a new stream. However, the crafted request’s structure immediately triggers a protocol error condition, forcing the server to abort and reset the stream internally. Crucially, this server-side reset occurs without incrementing the connection’s abuse counter. An attacker can therefore send a continuous, high-volume sequence of these requests, forcing the server to expend significant CPU resources on constant stream creation and immediate resetting. This resource exhaustion leads to a denial-of-service condition, degrading performance for legitimate clients without the server terminating the malicious connection.
Platform: Undertow
Version: <= 2.3.12
Vulnerability: DDoS
Severity: High
date: 2025-09-02
Prediction: Patch 2025-09-16
What Undercode Say:
Simulating request pattern with h2load h2load -n 100000 -c 100 -m 100 \ -H 'custom-header: \x00' \ https://target.server.com/page Monitoring server process impact top -p $(pgrep -f io.undertow)
// Example vulnerable stream reset path
public void handleStreamReset(Stream stream, ErrorCode errorCode) {
// Stream is reset but no penalty is applied
stream.close(); // Abuse counter not incremented
}
How Exploit:
Malicious clients send endless malformed HTTP/2 frames, exploiting the lack of an abuse penalty to exhaust server CPU via repeated stream resets.
Protection from this CVE:
Apply vendor patch. Update Undertow to version 2.3.13 or later upon release. Implement rate limiting on HTTP/2 connections and monitor for abnormal reset rates.
Impact:
Resource exhaustion leads to denial-of-service, degrading server performance and availability for legitimate traffic.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
