A critical security vulnerability in Apache Tomcat’s HTTP/2 implementation has been discovered, enabling attackers to launch devastating denial-of-service (DoS) attacks against web servers.
The vulnerability, designated as CVE-2025-48989 and dubbed the “Made You Reset” attack, affects multiple versions of the popular Java servlet container and poses significant risks to web applications worldwide.
The security flaw, rated as High severity, impacts Apache Tomcat versions 11.0.0-M1 through 11.0.9, 10.1.0-M1 through 10.1.43, and 9.0.0.M1 through 9.0.107.
Key Takeaways
1. Apache Tomcat's HTTP/2 flaw enables attackers to crash servers.
2. Affects Tomcat versions 9.0.0-11.0.9, potentially impacting thousands of web servers globally.
3. Immediately upgrade to prevent exploitation.
Older end-of-life versions may also be vulnerable, potentially affecting thousands of web servers globally.
The vulnerability was identified by security researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel from Tel Aviv University, who disclosed their findings on August 13, 2025.
Exploiting HTTP/2 in Apache Tomcat
The “Made You Reset” attack exploits weaknesses in Tomcat’s HTTP/2 protocol implementation, specifically targeting the connection reset mechanism.
When successfully executed, the attack typically manifests as an OutOfMemoryError, causing the targeted server to exhaust its available memory resources and become unresponsive to legitimate requests.
The vulnerability lies in how Tomcat handles HTTP/2 stream resets and connection management. Attackers can craft malicious HTTP/2 requests that force the server to allocate excessive memory resources without properly releasing them.
This memory leak behavior can be triggered repeatedly, eventually overwhelming the server’s available memory pool and triggering a denial-of-service condition.
The attack vector leverages the HTTP/2 multiplexing feature, where multiple streams can be processed simultaneously over a single TCP connection.
By manipulating stream reset frames and connection state management, attackers can force Tomcat to maintain numerous half-open connections or incomplete stream states, leading to resource exhaustion.
| Risk Factors | Details |
| Affected Products | – Apache Tomcat 11.0.0-M1 to 11.0.9- Apache Tomcat 10.1.0-M1 to 10.1.43- Apache Tomcat 9.0.0.M1 to 9.0.107- Older EOL versions (potentially affected) |
| Impact | Denial of Service (DoS) attack |
| Exploit Prerequisites | – HTTP/2 protocol enabled on target server- Network access to send malicious HTTP/2 requests- Ability to craft HTTP/2 stream reset frames- No authentication required |
| Severity | High |
Mitigations
The Apache Software Foundation has released patched versions to address this critical vulnerability. Organizations running affected Tomcat versions should immediately upgrade to Apache Tomcat 11.0.10, 10.1.44, or 9.0.108 or later versions.
These updates include fixes for the HTTP/2 implementation that prevent the “Made You Reset” attack vector.
System administrators should prioritize these updates, particularly for public-facing web applications that accept HTTP/2 connections.
The vulnerability’s High severity rating indicates that successful exploitation could significantly impact service availability and business operations.
Security teams should also monitor their Tomcat installations for unusual memory consumption patterns and implement additional network-level protections, such as rate limiting and connection throttling, to mitigate potential attacks while patches are being deployed across their infrastructure.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
