Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-48989

Опубликовано: 13 авг. 2025
Источник: redhat
CVSS3: 7.5

Описание

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

A flaw was found in Apache Tomcat where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

Отчет

This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a Denial of Service (DoS). While some DoS flaws are classified as Moderate, “MadeYouReset” is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling — malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.

Меры по смягчению последствий

No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10tomcatAffected
Red Hat Enterprise Linux 10tomcat9Affected
Red Hat Enterprise Linux 6tomcat6Not affected
Red Hat Enterprise Linux 7tomcatNot affected
Red Hat Enterprise Linux 8pki-deps:10.6/pki-servlet-engineNot affected
Red Hat Enterprise Linux 8tomcatAffected
Red Hat Enterprise Linux 9pki-servlet-engineAffected
Red Hat Enterprise Linux 9tomcatAffected
Red Hat JBoss Web Server 5tomcatWill not fix
Red Hat JBoss Web Server 6.1.2tomcatFixedRHSA-2025:1368613.08.2025

Показывать по

Дополнительная информация

Статус:

Important
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=2373309tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames

7.5 High

CVSS3

Связанные уязвимости

CVSS3: 7.5
ubuntu
2 дня назад

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

CVSS3: 7.5
nvd
4 дня назад

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

CVSS3: 7.5
debian
4 дня назад

Improper Resource Shutdown or Release vulnerability in Apache Tomcat m ...

CVSS3: 7.5
github
4 дня назад

Apache Tomcat Improper Resource Shutdown or Release vulnerability

7.5 High

CVSS3