CVE-2025-55163: 
Java vulnerability analysis and mitigation

Netty, an asynchronous event-driven network application framework, was found to be vulnerable to a logical vulnerability in the HTTP/2 protocol known as 'MadeYouReset DDoS' (CVE-2025-55163). The vulnerability was discovered and disclosed on August 13, 2025, affecting Netty versions prior to 4.1.124.Final and 4.2.4.Final. The vulnerability allows attackers to exploit malformed HTTP/2 control frames to bypass the maximum concurrent streams limit (GitHub Advisory).

The MadeYouReset vulnerability operates by manipulating HTTP/2 control frames to force the server to reset streams created by the client using RST_STREAM frames. The attack can be triggered through multiple primitives defined in RFC 9113, including WINDOW_UPDATE frames with an increment of 0, HEADERS or DATA frames sent on half-closed streams, and PRIORITY frames with incorrect length. The vulnerability exploits a design flaw in HTTP/2 where reset streams are immediately considered inactive and unaccounted for in the active streams counter, while the server continues processing the canceled requests. The vulnerability has received a CVSS 4.0 Base Score of 8.2 (High) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (GitHub Advisory).

The exploitation of this vulnerability can lead to resource exhaustion and distributed denial of service (DDoS). The specific impacts include CPU overload and/or memory exhaustion, depending on the implementation. The vulnerability allows attackers to cause the server to handle an unbounded number of concurrent streams from a client on the same connection (GitHub Advisory).

The vulnerability has been patched in Netty versions 4.1.124.Final and 4.2.4.Final. For those unable to update immediately, suggested mitigations include limiting the number/rate of RST_STREAMs sent from the server, limiting the number/rate of control frames sent by the client, and treating protocol flow errors as connection errors (GitHub Advisory, Red Hat).