Skip to content

[UNDERTOW-2598] CVE-2025-9784 Prevent a MadeYouReset HTTP2 attack by … #1778

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[UNDERTOW-2598] CVE-2025-9784 Prevent a MadeYouReset HTTP2 attack by … #1778

wants to merge 1 commit into from
+98 −19

Conversation

fl4via
Copy link
Member

@fl4via fl4via commented Sep 4, 2025

…sending a go away in case too many rst streams were sent to the client.

Jira: https://issues.redhat.com/browse/UNDERTOW-2598

@fl4via fl4via added bug fix Contains bug fix(es) next release This PR will be merged before next release or has already been merged (for payload double check) labels Sep 4, 2025
@fl4via
[UNDERTOW-2598] CVE-2025-9784 Prevent a MadeYouReset HTTP2 attack by …
6343e3e 
…sending a go away in case too many rst streams were sent to the client.

Signed-off-by: Flavia Rainone <frainone@redhat.com>
@fl4via fl4via added the on hold PR awaits non CI/Review holdover label Sep 4, 2025
@usr42
Copy link

usr42 commented Sep 9, 2025

Is CVE-2025-9784 already fixed in version 2.3.19.Final like suggested in https://issues.redhat.com/browse/UNDERTOW-2598? Or does this PR needs to be merged first and a version 2.3.20.Final needs to be released to fix the CVE?

@marcosgopen
Copy link

Is CVE-2025-9784 already fixed in version 2.3.19.Final like suggested in https://issues.redhat.com/browse/UNDERTOW-2598? Or does this PR needs to be merged first and a version 2.3.20.Final needs to be released to fix the CVE?

I think this still needs to be fixed (the issue is code in progress).

@gdiazsnap
Copy link

Hi, is there any plan to release this fix soon?

@wolfkor
Copy link

wolfkor commented Sep 23, 2025

We are also urgently waiting for a hotfix to resolve this high severity vulnerability

@lsainisnap
Copy link

We’re also eagerly awaiting a hotfix to fix this serious vulnerability. please merge and provide new fix version

@1kvsn
Copy link

1kvsn commented Sep 23, 2025

Hey team, are we going to fix this soon ?

@eliasrahmanin26
Copy link

eliasrahmanin26 commented Oct 1, 2025
edited
Loading

Hey team, any progress on this?

@fl4via
Copy link
Member Author

fl4via commented Oct 3, 2025

Hello everyone! This fix has not passed all my tests and we have been working on finding the missing pieces. I am working on an updated version of this fix, one that contains those missing pieces.

@fl4via fl4via added the waiting PR update Awaiting PR update(s) from contributor before merging label Oct 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug fix Contains bug fix(es) next release This PR will be merged before next release or has already been merged (for payload double check) on hold PR awaits non CI/Review holdover waiting PR update Awaiting PR update(s) from contributor before merging
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@fl4via @usr42 @marcosgopen @gdiazsnap @wolfkor @lsainisnap @1kvsn @eliasrahmanin26