Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
UtiliaCS 320x100
Banner Desktop
Critical vulnerability in Apache Tomcat must be patched, otherwise the server could go into DoS.

Critical vulnerability in Apache Tomcat must be patched, otherwise the server could go into DoS.

15 August 2025 08:50

A critical security flaw has been discovered in Apache Tomcat’s HTTP/2 implementation. This vulnerability allows attackers to conduct malicious denial-of-service (DoS) attacks on web servers.

The vulnerability, tracked under CVE-2025-48989 and dubbed the “Made You Reset” attack, affects several versions of the popular Java servlet container dj and poses significant risks to web applications worldwide. The security flaw, classified as severe, affects Apache Tomcat versions 11.0.0-M1 to 11.0.9, 10.1.0-M1 to 10.1.43, and 9.0.0.M1 to 9.0.107.

Risk FactorsDetails
Affected Products– Apache Tomcat 11.0.0-M1 to 11.0.9- Apache Tomcat 10.1.0-M1 to 10.1.43- Apache Tomcat 9.0.0.M1 to 9.0.107 – Older EOL releases (potentially affected)
ImpactDenial of Service (DoS)
Exploitation Prerequisites– HTTP/2 protocol enabled on the target server – Network access to send malicious HTTP/2 requests – Ability to craft HTTP/2 stream recovery frames – No authentication required

The vulnerability was identified by security researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel of Tel Aviv University, who released their findings on August 13, 2025. Even older, discontinued versions could be vulnerable, potentially affecting thousands of web servers worldwide. world.

The “Made You Reset” attack exploits weaknesses in Tomcat’s HTTP/2 protocol implementation, targeting the connection reset mechanism. If executed correctly, the attack manifests as an OutOfMemoryError, which causes the targeted server to exhaust available memory resources and no longer respond to legitimate requests.

The vulnerability lies in the way Tomcat handles HTTP/2 stream resets and connection management. Attackers can craft malicious HTTP/2 requests that force the server to allocate excessive memory resources without properly releasing them. This memory leak behavior can be triggered repeatedly, eventually overwhelming the server’s available memory pool and triggering a denial-of-service condition.

The attack vector exploits the HTTP/2 multiplexing feature, which allows multiple flows to be processed simultaneously over a single TCP connection.

By manipulating flow recovery frames and connection state management, attackers can force Tomcat to maintain numerous half-open connections or incomplete flow states, resulting in resource exhaustion.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.