CVE-2025-5115: 
Java vulnerability analysis and mitigation

CVE-2025-5115, known as the 'MadeYouReset' vulnerability, is a logical vulnerability in the HTTP/2 protocol affecting Eclipse Jetty versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, and <=12.1.0.alpha2. The vulnerability was discovered and disclosed in August 2025, affecting the HTTP/2 implementation in Jetty servers (Eclipse Advisory).

The vulnerability allows an HTTP/2 client to trigger the server to send RST_STREAM frames by sending malformed frames or frames that violate protocol state. For example, a client can open a stream and send WINDOW_UPDATE frames with window size increment of 0, which is illegal according to RFC 9113. The server responds by sending a RST_STREAM frame, allowing the client to create an enormous number of streams in a short period without exceeding the max concurrent streams limit. The vulnerability has received a CVSS v4.0 score of 7.7 (HIGH) (Eclipse Advisory).

The exploitation leads to resource exhaustion and distributed denial of service, resulting in CPU overload and/or memory exhaustion. The attack can be performed rapidly since the active streams counter never exceeds 1 and the attacker does not need to wait for the server's response. This vulnerability is similar to but distinct from the Rapid Reset vulnerability (CVE-2023-44487) (Eclipse Advisory).

Patched versions have been released: 9.4.58, 10.0.26, 11.0.26, 12.0.25, and 12.1.0.beta3. The only workaround apart from upgrading is disabling HTTP/2. Suggested mitigations include limiting the number/rate of RST_STREAMs sent from the server and limiting the number/rate of control frames sent by the client (Eclipse Advisory, Jetty Release).