Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
A critical security flaw has been discovered in Apache Tomcat’s HTTP/2 implementation. This vulnerability allows attackers to conduct malicious denial-of-service (DoS) attacks on web servers.
The vulnerability, tracked under CVE-2025-48989 and dubbed the “Made You Reset” attack, affects several versions of the popular Java servlet container dj and poses significant risks to web applications worldwide. The security flaw, classified as severe, affects Apache Tomcat versions 11.0.0-M1 to 11.0.9, 10.1.0-M1 to 10.1.43, and 9.0.0.M1 to 9.0.107.
| Risk Factors | Details |
| Affected Products | – Apache Tomcat 11.0.0-M1 to 11.0.9- Apache Tomcat 10.1.0-M1 to 10.1.43- Apache Tomcat 9.0.0.M1 to 9.0.107 – Older EOL releases (potentially affected) |
| Impact | Denial of Service (DoS) |
| Exploitation Prerequisites | – HTTP/2 protocol enabled on the target server – Network access to send malicious HTTP/2 requests – Ability to craft HTTP/2 stream recovery frames – No authentication required |
The vulnerability was identified by security researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel of Tel Aviv University, who released their findings on August 13, 2025. Even older, discontinued versions could be vulnerable, potentially affecting thousands of web servers worldwide. world.
The “Made You Reset” attack exploits weaknesses in Tomcat’s HTTP/2 protocol implementation, targeting the connection reset mechanism. If executed correctly, the attack manifests as an OutOfMemoryError, which causes the targeted server to exhaust available memory resources and no longer respond to legitimate requests.
The vulnerability lies in the way Tomcat handles HTTP/2 stream resets and connection management. Attackers can craft malicious HTTP/2 requests that force the server to allocate excessive memory resources without properly releasing them. This memory leak behavior can be triggered repeatedly, eventually overwhelming the server’s available memory pool and triggering a denial-of-service condition.
The attack vector exploits the HTTP/2 multiplexing feature, which allows multiple flows to be processed simultaneously over a single TCP connection.
By manipulating flow recovery frames and connection state management, attackers can force Tomcat to maintain numerous half-open connections or incomplete flow states, resulting in resource exhaustion.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
