{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-5115", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2025-05-23T08:55:59.861Z", "datePublished": "2025-08-20T19:07:11.546Z", "dateUpdated": "2025-08-21T10:36:49.477Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "pkg:maven/org.eclipse.jetty.http2/http2-common", "product": "Eclipse Jetty", "repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Jetty", "versions": [{"lessThanOrEqual": "<=9.4.57", "status": "affected", "version": ">=9.3.0", "versionType": "semver"}, {"lessThanOrEqual": "<=10.0.25", "status": "affected", "version": ">=10.0.0", "versionType": "semver"}, {"lessThanOrEqual": "<=11.0.25", "status": "affected", "version": ">=11.0.0", "versionType": "semver"}, {"lessThanOrEqual": "<=12.0.21", "status": "affected", "version": ">=12.0.0", "versionType": "semver"}, {"lessThanOrEqual": "<=12.1.0.alpha2", "status": "affected", "version": ">=12.1.0.alpha0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p></p><p>In Eclipse Jetty, versions &lt;=9.4.57, &lt;=10.0.25, &lt;=11.0.25, &lt;=12.0.21, &lt;=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.</p>\n<p>For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal.\nPer specification<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update\"></a>, the server should send a RST_STREAM frame.\nThe client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.</p>\n<p>The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.</p>\n\n<p><strong>Links:</strong></p>\n<ul>\n<li><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h\">https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h</a></li></ul><p></p>"}], "value": "In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.\n\n\nFor example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal.\nPer specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame.\nThe client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.\n\n\nThe attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.\n\n\n\nLinks:\n\n\n\n * https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h"}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2025-08-21T10:36:49.477Z"}, "references": [{"tags": ["issue-tracking"], "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h"}, {"tags": ["patch"], "url": "https://github.com/jetty/jetty.project/pull/13449"}, {"tags": ["release-notes"], "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-12.1.0"}, {"tags": ["release-notes"], "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.25"}, {"tags": ["release-notes"], "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-11.0.26"}, {"tags": ["release-notes"], "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-10.0.26"}, {"tags": ["release-notes"], "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.58.v20250814"}], "source": {"discovery": "UNKNOWN"}, "title": "MadeYouReset HTTP/2 vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-20T19:28:04.700843Z", "id": "CVE-2025-5115", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T19:28:12.942Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5115", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-20T19:28:04.700843Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T19:28:07.991Z"}}], "cna": {"title": "MadeYouReset HTTP/2 vulnerability", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Jetty", "product": "Eclipse Jetty", "versions": [{"status": "affected", "version": ">=9.3.0", "versionType": "semver", "lessThanOrEqual": "<=9.4.57"}, {"status": "affected", "version": ">=10.0.0", "versionType": "semver", "lessThanOrEqual": "<=10.0.25"}, {"status": "affected", "version": ">=11.0.0", "versionType": "semver", "lessThanOrEqual": "<=11.0.25"}, {"status": "affected", "version": ">=12.0.0", "versionType": "semver", "lessThanOrEqual": "<=12.0.21"}, {"status": "affected", "version": ">=12.1.0.alpha0", "versionType": "semver", "lessThanOrEqual": "<=12.1.0.alpha2"}], "packageName": "pkg:maven/org.eclipse.jetty.http2/http2-common", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h", "tags": ["issue-tracking"]}, {"url": "https://github.com/jetty/jetty.project/pull/13449", "tags": ["patch"]}, {"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-12.1.0", "tags": ["release-notes"]}, {"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.25", "tags": ["release-notes"]}, {"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-11.0.26", "tags": ["release-notes"]}, {"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-10.0.26", "tags": ["release-notes"]}, {"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.58.v20250814", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.\n\n\nFor example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal.\nPer specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame.\nThe client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.\n\n\nThe attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.\n\n\n\nLinks:\n\n\n\n * https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h", "supportingMedia": [{"type": "text/html", "value": "<p></p><p>In Eclipse Jetty, versions &lt;=9.4.57, &lt;=10.0.25, &lt;=11.0.25, &lt;=12.0.21, &lt;=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.</p>\n<p>For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal.\nPer specification<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update\"></a>, the server should send a RST_STREAM frame.\nThe client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.</p>\n<p>The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.</p>\n\n<p><strong>Links:</strong></p>\n<ul>\n<li><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h\">https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h</a></li></ul><p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2025-08-21T10:36:49.477Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5115", "state": "PUBLISHED", "dateUpdated": "2025-08-21T10:36:49.477Z", "dateReserved": "2025-05-23T08:55:59.861Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2025-08-20T19:07:11.546Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.\n\n\nFor example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal.\nPer specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame.\nThe client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.\n\n\nThe attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.\n\n\n\nLinks:\n\n\n\n * https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h"}, {"lang": "es", "value": "En Eclipse Jetty, versiones &lt;=9.4.57, &lt;=10.0.25, &lt;=11.0.25, &lt;=12.0.21, &lt;=12.1.0.alpha2, un cliente HTTP/2 puede provocar que el servidor env\u00ede tramas RST_STREAM, por ejemplo, enviando tramas con formato incorrecto o que no deber\u00edan enviarse en un estado de flujo espec\u00edfico, lo que obliga al servidor a consumir recursos como CPU y memoria. Por ejemplo, un cliente puede abrir un flujo y luego enviar tramas WINDOW_UPDATE con un incremento de tama\u00f1o de ventana de 0, lo cual es ilegal. Seg\u00fan la especificaci\u00f3n https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update, el servidor debe enviar una trama RST_STREAM. El cliente ahora puede abrir otra transmisi\u00f3n y enviar otra WINDOW_UPDATE incorrecta, lo que provoca que el servidor consuma m\u00e1s recursos de los necesarios. En este caso, no se supera el n\u00famero m\u00e1ximo de transmisiones simult\u00e1neas, pero el cliente puede crear una enorme cantidad de transmisiones en poco tiempo. El ataque puede ejecutarse con otras condiciones (por ejemplo, una trama DATA para una transmisi\u00f3n cerrada) que provocan que el servidor env\u00ede una trama RST_STREAM. Enlaces: * https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h"}], "id": "CVE-2025-5115", "lastModified": "2025-08-22T18:09:17.710", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2025-08-20T20:15:33.377", "references": [{"source": "emo@eclipse.org", "url": "https://github.com/jetty/jetty.project/pull/13449"}, {"source": "emo@eclipse.org", "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-10.0.26"}, {"source": "emo@eclipse.org", "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-11.0.26"}, {"source": "emo@eclipse.org", "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.25"}, {"source": "emo@eclipse.org", "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-12.1.0"}, {"source": "emo@eclipse.org", "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.58.v20250814"}, {"source": "emo@eclipse.org", "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "emo@eclipse.org", "type": "Secondary"}]}

{"bugzilla": {"description": "jetty: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to \"MadeYouReset\" DoS attack through HTTP/2 control frames", "id": "2373310", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373310"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["A flaw was found in Jetty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS)."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability."}, "name": "CVE-2025-5115", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "jetty-http2-common", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "jetty-http2-hpack", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "jetty-http2-server", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Will not fix", "package_name": "netty-codec-http2", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "jetty-http2-client", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "jetty-http2-client-transport", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "jetty-http2-common", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "jetty-http2-hpack", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "jetty-http2-server", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Will not fix", "package_name": "netty-codec-http2", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Will not fix", "package_name": "netty-codec-http2", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Will not fix", "package_name": "netty-codec-http2", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.jboss.eap-jboss-eap-xp", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.postgresql-pgjdbc", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.jboss.eap-jboss-eap-xp", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.postgresql-pgjdbc", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Out of support scope", "package_name": "netty-codec-http2", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "streams for Apache Kafka 2"}], "public_date": "2025-08-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-5115\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-5115\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h\nhttps://kb.cert.org/vuls/id/767506"], "statement": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a Denial of Service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.", "threat_severity": "Important"}