CVE-2025-55163: 
Java vulnerability analysis and mitigation

The MadeYouReset vulnerability (CVE-2025-55163) is a logical vulnerability in the HTTP/2 protocol that enables attackers to bypass the max concurrent streams limit through malformed HTTP/2 control frames, leading to resource exhaustion and distributed denial of service. The vulnerability was discovered in 2025 and affects Netty versions <=4.2.3.Final and <= 4.1.123.Final, with patches available in versions 4.2.4.Final and 4.1.124.Final (GitHub Advisory).

The vulnerability exploits a design flaw in HTTP/2 protocol where reset streams are immediately considered inactive and unaccounted for in the active streams counter, while the server's backend continues processing the canceled requests. The attack can be triggered through several primitives defined in RFC 9113, including WINDOWUPDATE frames with an increment of 0, HEADERS or DATA frames sent on half-closed streams, and PRIORITY frames with incorrect length. The most common trigger is the WINDOWUPDATE frame manipulation (GitHub Advisory).

The exploitation can lead to resource exhaustion and distributed denial of service, specifically causing CPU overload and/or memory exhaustion, depending on the implementation. The vulnerability allows attackers to create an unbounded number of concurrent streams from a client on the same connection, bypassing the typical limit of 100 concurrent active streams (GitHub Advisory).

The recommended mitigations include limiting the number/rate of RSTSTREAMs sent from the server, limiting the number/rate of control frames sent by the client (such as WINDOWUPDATE and PRIORITY), and treating protocol flow errors as connection errors. Additionally, updating to the patched versions (4.2.4.Final or 4.1.124.Final) is strongly recommended (GitHub Advisory).