{ "threat_severity" : "Important", "public_date" : "2025-08-20T00:00:00Z", "bugzilla" : { "description" : "jetty: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to \"MadeYouReset\" DoS attack through HTTP/2 control frames", "id" : "2373310", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2373310" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.\nFor example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal.\nPer specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame.\nThe client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.\nThe attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.\nLinks:\n* https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h", "A flaw was found in Jetty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS)." ], "statement" : "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a Denial of Service (DoS). While some DoS flaws are classified as Moderate, “MadeYouReset” is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling — malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.", "affected_release" : [ { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16459", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "jenkins-0:2.516.3.1758299374-3.el8" }, { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16459", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "jenkins-2-plugins-0:4.12.1758299735-1.el8" }, { "product_name" : "OCP-Tools-4.13-RHEL-8", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16460", "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8", "package" : "jenkins-0:2.516.3.1758298953-3.el8" }, { "product_name" : "OCP-Tools-4.13-RHEL-8", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16460", "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8", "package" : "jenkins-2-plugins-0:4.13.1758299004-1.el8" }, { "product_name" : "OCP-Tools-4.14-RHEL-8", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16461", "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8", "package" : "jenkins-0:2.516.3.1758302106-3.el8" }, { "product_name" : "OCP-Tools-4.14-RHEL-8", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16461", "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8", "package" : "jenkins-2-plugins-0:4.14.1758302383-1.el8" }, { "product_name" : "OCP-Tools-4.15-RHEL-8", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16462", "cpe" : "cpe:/a:redhat:ocp_tools:4.15::el8", "package" : "jenkins-0:2.516.3.1758302665-3.el8" }, { "product_name" : "OCP-Tools-4.15-RHEL-8", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16462", "cpe" : "cpe:/a:redhat:ocp_tools:4.15::el8", "package" : "jenkins-2-plugins-0:4.15.1758303157-1.el8" }, { "product_name" : "OCP-Tools-4.16-RHEL-9", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16457", "cpe" : "cpe:/a:redhat:ocp_tools:4.16::el9", "package" : "jenkins-0:2.516.3.1758336945-3.el9" }, { "product_name" : "OCP-Tools-4.16-RHEL-9", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16457", "cpe" : "cpe:/a:redhat:ocp_tools:4.16::el9", "package" : "jenkins-2-plugins-0:4.16.1758337173-1.el9" }, { "product_name" : "OCP-Tools-4.17-RHEL-9", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16456", "cpe" : "cpe:/a:redhat:ocp_tools:4.17::el9", "package" : "jenkins-0:2.516.3.1758259817-3.el9" }, { "product_name" : "OCP-Tools-4.17-RHEL-9", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16456", "cpe" : "cpe:/a:redhat:ocp_tools:4.17::el9", "package" : "jenkins-2-plugins-0:4.17.1758260106-1.el9" }, { "product_name" : "OCP-Tools-4.18-RHEL-9", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16455", "cpe" : "cpe:/a:redhat:ocp_tools:4.18::el9", "package" : "jenkins-0:2.516.3.1758260563-3.el9" }, { "product_name" : "OCP-Tools-4.18-RHEL-9", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16455", "cpe" : "cpe:/a:redhat:ocp_tools:4.18::el9", "package" : "jenkins-2-plugins-0:4.18.1758260849-1.el9" }, { "product_name" : "OCP-Tools-4.19-RHEL-9", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16454", "cpe" : "cpe:/a:redhat:ocp_tools:4.19::el9", "package" : "jenkins-0:2.516.3.1758206866-3.el9" }, { "product_name" : "OCP-Tools-4.19-RHEL-9", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16454", "cpe" : "cpe:/a:redhat:ocp_tools:4.19::el9", "package" : "jenkins-2-plugins-0:4.19.1758207171-1.el9" }, { "product_name" : "Red Hat AMQ Broker 7.13.2", "release_date" : "2025-10-08T00:00:00Z", "advisory" : "RHSA-2025:17567", "cpe" : "cpe:/a:redhat:amq_broker:7.13", "package" : "jetty-http2-common" }, { "product_name" : "Red Hat AMQ Broker 7.13.2", "release_date" : "2025-10-08T00:00:00Z", "advisory" : "RHSA-2025:17567", "cpe" : "cpe:/a:redhat:amq_broker:7.13", "package" : "jetty-http2-hpack" }, { "product_name" : "Red Hat AMQ Broker 7.13.2", "release_date" : "2025-10-08T00:00:00Z", "advisory" : "RHSA-2025:17567", "cpe" : "cpe:/a:redhat:amq_broker:7.13", "package" : "jetty-http2-server" }, { "product_name" : "Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9", "release_date" : "2025-08-28T00:00:00Z", "advisory" : "RHSA-2025:14911", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.10", "package" : "jetty-http2-client" }, { "product_name" : "Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9", "release_date" : "2025-08-28T00:00:00Z", "advisory" : "RHSA-2025:14911", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.10", "package" : "jetty-http2-client-transport" }, { "product_name" : "Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9", "release_date" : "2025-08-28T00:00:00Z", "advisory" : "RHSA-2025:14911", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.10", "package" : "jetty-http2-common" }, { "product_name" : "Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9", "release_date" : "2025-08-28T00:00:00Z", "advisory" : "RHSA-2025:14911", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.10", "package" : "jetty-http2-hpack" }, { "product_name" : "Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9", "release_date" : "2025-08-28T00:00:00Z", "advisory" : "RHSA-2025:14911", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.10", "package" : "jetty-http2-server" }, { "product_name" : "Red Hat Offline Knowledge Portal 1.1.8", "release_date" : "2025-09-29T00:00:00Z", "advisory" : "RHSA-2025:16989", "cpe" : "cpe:/a:redhat:offline_knowledge_portal:1.1::el9", "package" : "offline-knowledge-portal/rhokp-rhel9:sha256:31830a6c2976a2336f946569f10bd7d93d5a662666014e2be846311b12d2fa78" } ], "package_state" : [ { "product_name" : "Cryostat 4", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Will not fix", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Will not fix", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Debezium 3", "fix_state" : "Will not fix", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:debezium:3" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Will not fix", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:quarkus:3" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "org.jboss.eap-jboss-eap-xp", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "org.postgresql-pgjdbc", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "org.jboss.eap-jboss-eap-xp", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "org.postgresql-pgjdbc", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Out of support scope", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:amq_streams:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-5115\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-5115\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h\nhttps://kb.cert.org/vuls/id/767506" ], "name" : "CVE-2025-5115", "mitigation" : { "value" : "No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.", "lang" : "en:us" }, "csaw" : false }