Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search
Red Hot Cyber Academy

Critical vulnerability in Apache Tomcat must be patched, otherwise the server could go into DoS.

Redazione RHC : 15 August 2025 08:50

A critical security flaw has been discovered in Apache Tomcat’s HTTP/2 implementation. This vulnerability allows attackers to conduct malicious denial-of-service (DoS) attacks on web servers.

The vulnerability, tracked under CVE-2025-48989 and dubbed the “Made You Reset” attack, affects several versions of the popular Java servlet container dj and poses significant risks to web applications worldwide. The security flaw, classified as severe, affects Apache Tomcat versions 11.0.0-M1 to 11.0.9, 10.1.0-M1 to 10.1.43, and 9.0.0.M1 to 9.0.107.

Risk FactorsDetails
Affected Products– Apache Tomcat 11.0.0-M1 to 11.0.9- Apache Tomcat 10.1.0-M1 to 10.1.43- Apache Tomcat 9.0.0.M1 to 9.0.107 – Older EOL releases (potentially affected)
ImpactDenial of Service (DoS)
Exploitation Prerequisites– HTTP/2 protocol enabled on the target server – Network access to send malicious HTTP/2 requests – Ability to craft HTTP/2 stream recovery frames – No authentication required

The vulnerability was identified by security researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel of Tel Aviv University, who released their findings on August 13, 2025. Even older, discontinued versions could be vulnerable, potentially affecting thousands of web servers worldwide. world.

The “Made You Reset” attack exploits weaknesses in Tomcat’s HTTP/2 protocol implementation, targeting the connection reset mechanism. If executed correctly, the attack manifests as an OutOfMemoryError, which causes the targeted server to exhaust available memory resources and no longer respond to legitimate requests.

The vulnerability lies in the way Tomcat handles HTTP/2 stream resets and connection management. Attackers can craft malicious HTTP/2 requests that force the server to allocate excessive memory resources without properly releasing them. This memory leak behavior can be triggered repeatedly, eventually overwhelming the server’s available memory pool and triggering a denial-of-service condition.

The attack vector exploits the HTTP/2 multiplexing feature, which allows multiple flows to be processed simultaneously over a single TCP connection.

By manipulating flow recovery frames and connection state management, attackers can force Tomcat to maintain numerous half-open connections or incomplete flow states, resulting in resource exhaustion.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli