Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-55163 (GCVE-0-2025-55163)
Vulnerability from cvelistv5
Published
2025-08-13 14:17
Modified
2025-08-13 14:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55163",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T14:37:06.148395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T14:37:20.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.124.Final"
},
{
"status": "affected",
"version": "\u003c 4.2.4.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T14:17:36.111Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
}
],
"source": {
"advisory": "GHSA-prj3-ccx8-p6x4",
"discovery": "UNKNOWN"
},
"title": "Netty MadeYouReset HTTP/2 DDoS Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55163",
"datePublished": "2025-08-13T14:17:36.111Z",
"dateReserved": "2025-08-07T18:27:23.307Z",
"dateUpdated": "2025-08-13T14:37:20.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-55163\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-13T15:15:39.390\",\"lastModified\":\"2025-08-13T17:33:46.673\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55163\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-13T14:37:06.148395Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-13T14:37:10.688Z\"}}], \"cna\": {\"title\": \"Netty MadeYouReset HTTP/2 DDoS Vulnerability\", \"source\": {\"advisory\": \"GHSA-prj3-ccx8-p6x4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"netty\", \"product\": \"netty\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.1.124.Final\"}, {\"status\": \"affected\", \"version\": \"\u003c 4.2.4.Final\"}]}], \"references\": [{\"url\": \"https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4\", \"name\": \"https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-13T14:17:36.111Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-55163\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-13T14:37:20.727Z\", \"dateReserved\": \"2025-08-07T18:27:23.307Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-13T14:17:36.111Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
rhsa-2025:14911
Vulnerability from csaf_redhat
Published
2025-08-28 18:38
Modified
2025-09-03 03:06
Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.10.6 for Spring Boot release.
Notes
Topic
Red Hat build of Apache Camel 4.10.6 for Spring Boot patch release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Details
Red Hat build of Apache Camel 4.10.6 for Spring Boot patch release and security update is now available.
The purpose of this text-only errata is to inform you about the security issues
fixed.
Security Fix(es):
* jetty-http2-client: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-5115)
* jetty-http2-client-transport: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-5115)
* jetty-http2-common: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-5115)
* jetty-http2-hpack: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-5115)
* jetty-http2-server: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-5115)
* netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-55163)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat build of Apache Camel 4.10.6 for Spring Boot patch release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of\nImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives\na detailed severity rating, is available for each vulnerability from the CVE\nlink(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Apache Camel 4.10.6 for Spring Boot patch release and security update is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues\nfixed.\n\nSecurity Fix(es):\n \n* jetty-http2-client: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to \"MadeYouReset\" DoS attack through HTTP/2 control frames (CVE-2025-5115)\n\n* jetty-http2-client-transport: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to \"MadeYouReset\" DoS attack through HTTP/2 control frames (CVE-2025-5115)\n\n* jetty-http2-common: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to \"MadeYouReset\" DoS attack through HTTP/2 control frames (CVE-2025-5115)\n\n* jetty-http2-hpack: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to \"MadeYouReset\" DoS attack through HTTP/2 control frames (CVE-2025-5115)\n\n* jetty-http2-server: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to \"MadeYouReset\" DoS attack through HTTP/2 control frames (CVE-2025-5115)\n\n* netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-55163)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:14911",
"url": "https://access.redhat.com/errata/RHSA-2025:14911"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2373310",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373310"
},
{
"category": "external",
"summary": "2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_14911.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.10.6 for Spring Boot release.",
"tracking": {
"current_release_date": "2025-09-03T03:06:10+00:00",
"generator": {
"date": "2025-09-03T03:06:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2025:14911",
"initial_release_date": "2025-08-28T18:38:33+00:00",
"revision_history": [
{
"date": "2025-08-28T18:38:33+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-28T18:38:33+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-03T03:06:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9",
"product": {
"name": "Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9",
"product_id": "Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.10"
}
}
}
],
"category": "product_family",
"name": "Red Hat Build of Apache Camel"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-5115",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-06-18T08:43:44.656000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373310"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jetty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to \"MadeYouReset\" DoS attack through HTTP/2 control frames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a Denial of Service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-5115"
},
{
"category": "external",
"summary": "RHBZ#2373310",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373310"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-5115",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5115"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5115",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5115"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
}
],
"release_date": "2025-08-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-28T18:38:33+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14911"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jetty: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to \"MadeYouReset\" DoS attack through HTTP/2 control frames"
},
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-08-13T15:01:55.372237+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2388252"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a denial of service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55163"
},
{
"category": "external",
"summary": "RHBZ#2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4",
"url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
}
],
"release_date": "2025-08-13T14:17:36.111000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-28T18:38:33+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14911"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability"
}
]
}
rhsa-2025:14919
Vulnerability from csaf_redhat
Published
2025-09-03 02:15
Modified
2025-09-03 07:12
Summary
Red Hat Security Advisory: Red Hat build of Cryostat 4.0.2: new RHEL 9 container image security update
Notes
Topic
New Red Hat build of Cryostat 4.0.2 on RHEL 9 container images are now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The Cryostat 4 on RHEL 9 container images have been updated to fix several bugs.
Users of Cryostat 4 on RHEL 9 container images are advised to upgrade to these updated images, which contain backported patches to fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.
Security Fix(es):
* cryostat: authentication bypass if Network Policies are disabled (CVE-2025-8415)
* netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-55163)
* form-data: Unsafe random function in form-data (CVE-2025-7783)
You can find images updated by this advisory in the Red Hat Container Catalog (see the References section).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat build of Cryostat 4.0.2 on RHEL 9 container images are now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Cryostat 4 on RHEL 9 container images have been updated to fix several bugs.\n\nUsers of Cryostat 4 on RHEL 9 container images are advised to upgrade to these updated images, which contain backported patches to fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.\n\nSecurity Fix(es):\n\n* cryostat: authentication bypass if Network Policies are disabled (CVE-2025-8415)\n* netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-55163)\n* form-data: Unsafe random function in form-data (CVE-2025-7783)\n\nYou can find images updated by this advisory in the Red Hat Container Catalog (see the References section).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:14919",
"url": "https://access.redhat.com/errata/RHSA-2025:14919"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2381959",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2381959"
},
{
"category": "external",
"summary": "2385773",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2385773"
},
{
"category": "external",
"summary": "2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_14919.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Cryostat 4.0.2: new RHEL 9 container image security update",
"tracking": {
"current_release_date": "2025-09-03T07:12:27+00:00",
"generator": {
"date": "2025-09-03T07:12:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2025:14919",
"initial_release_date": "2025-09-03T02:15:18+00:00",
"revision_history": [
{
"date": "2025-09-03T02:15:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-09-03T02:15:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-03T07:12:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Cryostat 4 on RHEL 9",
"product": {
"name": "Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cryostat:4::el9"
}
}
}
],
"category": "product_family",
"name": "Cryostat"
},
{
"branches": [
{
"category": "product_version",
"name": "cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"product": {
"name": "cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"product_id": "cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-agent-init-rhel9\u0026tag=0.5.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"product": {
"name": "cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"product_id": "cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-db-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"product": {
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"product_id": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-grafana-dashboard-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"product": {
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"product_id": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-openshift-console-plugin-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"product": {
"name": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"product_id": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-ose-oauth-proxy-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"product": {
"name": "cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"product_id": "cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-reports-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"product": {
"name": "cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"product_id": "cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"product": {
"name": "cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"product_id": "cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-operator-bundle\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"product": {
"name": "cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"product_id": "cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9-operator\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"product": {
"name": "cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"product_id": "cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-storage-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"product": {
"name": "cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"product_id": "cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/jfr-datasource-rhel9\u0026tag=4.0.2-3"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"product": {
"name": "cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"product_id": "cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-agent-init-rhel9\u0026tag=0.5.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"product": {
"name": "cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"product_id": "cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-db-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"product": {
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"product_id": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-grafana-dashboard-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"product": {
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"product_id": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-openshift-console-plugin-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"product": {
"name": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"product_id": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-ose-oauth-proxy-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"product": {
"name": "cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"product_id": "cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-reports-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"product": {
"name": "cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"product_id": "cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"product": {
"name": "cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"product_id": "cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-operator-bundle\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"product": {
"name": "cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"product_id": "cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9-operator\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"product": {
"name": "cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"product_id": "cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-storage-rhel9\u0026tag=4.0.2-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64",
"product": {
"name": "cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64",
"product_id": "cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/jfr-datasource-rhel9\u0026tag=4.0.2-3"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64"
},
"product_reference": "cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64"
},
"product_reference": "cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64"
},
"product_reference": "cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64"
},
"product_reference": "cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64"
},
"product_reference": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64"
},
"product_reference": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64"
},
"product_reference": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64"
},
"product_reference": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64"
},
"product_reference": "cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64"
},
"product_reference": "cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64"
},
"product_reference": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64"
},
"product_reference": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64"
},
"product_reference": "cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64"
},
"product_reference": "cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64"
},
"product_reference": "cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64"
},
"product_reference": "cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64"
},
"product_reference": "cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64"
},
"product_reference": "cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64"
},
"product_reference": "cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64"
},
"product_reference": "cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64"
},
"product_reference": "cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64"
},
"product_reference": "cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-7783",
"cwe": {
"id": "CWE-330",
"name": "Use of Insufficiently Random Values"
},
"discovery_date": "2025-07-18T17:00:43.396637+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2381959"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability related to predictable random number generation has been discovered in the form-data JavaScript library. The library utilizes Math.random() to determine boundary values for multipart form-encoded data.\n\nThis presents a security risk if an attacker can observe other values generated by Math.random() within the target application and simultaneously control at least one field of a request made using form-data. Under these conditions, the attacker could potentially predict or determine the boundary values. This predictability could be leveraged to bypass security controls, manipulate form data, or potentially lead to data integrity issues or other forms of exploitation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "form-data: Unsafe random function in form-data",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw does not affect host systems. The impact of this vulnerability is limited to specific applications which integrate the `form-data` library. As a result the impact of this CVE is limited on RedHat systems.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-7783"
},
{
"category": "external",
"summary": "RHBZ#2381959",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2381959"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-7783",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7783"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-7783",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7783"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0",
"url": "https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4",
"url": "https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4"
}
],
"release_date": "2025-07-18T16:34:44.889000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-03T02:15:18+00:00",
"details": "You can download the Cryostat 4 on RHEL 9 container images that this update provides from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available in the Red Hat Container Catalog (see the References section).\n\nDockerfiles and scripts should be amended to refer to this new image specifically or to the latest image generally.",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14919"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "form-data: Unsafe random function in form-data"
},
{
"cve": "CVE-2025-8415",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2025-07-31T13:30:18.157000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2385773"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the Cryostat HTTP API. Cryostat\u0027s HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cryostat: authentication bypass if Network Policies are disabled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-8415"
},
{
"category": "external",
"summary": "RHBZ#2385773",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2385773"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-8415",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8415"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-8415",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8415"
}
],
"release_date": "2025-08-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-03T02:15:18+00:00",
"details": "You can download the Cryostat 4 on RHEL 9 container images that this update provides from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available in the Red Hat Container Catalog (see the References section).\n\nDockerfiles and scripts should be amended to refer to this new image specifically or to the latest image generally.",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14919"
},
{
"category": "workaround",
"details": "Cryostat is not vulnerable by default, as Network Policy is enabled and prevents this behavior. Make sure the Network Policies are enabled in Custom Resources and that the underlying cluster network stack supports Network Policies.",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cryostat: authentication bypass if Network Policies are disabled"
},
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-08-13T15:01:55.372237+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2388252"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a denial of service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55163"
},
{
"category": "external",
"summary": "RHBZ#2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4",
"url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
}
],
"release_date": "2025-08-13T14:17:36.111000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-03T02:15:18+00:00",
"details": "You can download the Cryostat 4 on RHEL 9 container images that this update provides from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available in the Red Hat Container Catalog (see the References section).\n\nDockerfiles and scripts should be amended to refer to this new image specifically or to the latest image generally.",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14919"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:0e5ffd83db750fb85c1e6e268a6be392bf084558e9b07d29bb6b752b756f98e8_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d6d38a85fabf58e7dabcc9088f0c5271f1f03616e883175ad67081232fd08189_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:98289ddd46c3b9e3ed22cb76f4f5372b28d84637f84e0e24fcfd75f1b6cdfc4c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:a598e40bbe2ce6243d1eb583dc57041c4ced8a4a5bcba2d0a4f9d8decc8bfb5e_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:1b2c837ef2ae61f187d4d3b7be3f9fb3a2f8910d99a5b7d02929edb993631cc9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:7c1d1bee4b41222a89ccff05f96c718c230779cd123c33ce5150c1c6df69abe4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:04c736cd3efff1a2d894bd7bfb2d982cc2de938aeb859ce01fe5c237275305a5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:72e93e32df5c0af848dfae42aee3633069df0cbdaacfc4bb9c68b54a161c1bd9_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:52f04cfb6bbc0a04ef61a1d061e45dc4a44e98fba9413961d69a6a97cf45e084_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:808f35402b5b20c395a26436d6a121fb8e81ff56fd6a60e8e84ad8e4f64d37d4_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:a049c80f0fdbdd21ee6513c703b057aae78259e2077357b84a3faf01a002db1f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:de2537a6036e88a9eb3821851b1f8e3fcaa069d46f18e9a999848058c2923872_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:2eef8c97381bc0c8418be415384f2cef5b59bcc2f286fe65fc18873d8719c628_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:577db510c36a906d7583f9daec87f1df593167ecaac881573a9fb9511e7786c0_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a2b8104352ac48cf5a076e0a4ab48e435535913e1f0301ba69bc7c4ff1ea70c2_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a4dd6911c3fcd3b1fffcb24b54f798cfd1f1113020556685333d8c8e3857a9ca_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:54fd86c9f83b0a690b5a2effd8bb1c1a91440c284f5c7c64a603bb62bb915e6f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:813522e91ba44510abfb6802cfbfe0dbdde1df678fb72c0954458d9485ff9469_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:0468feecc78f056ed30ab07ec3d8b53d0be37f4a00d49009ea6e3f9b20c9c509_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:415e55fd5a49c4de08af32f2efa76de4f5bbeeb48e868de5f8cdb79d7c8ce526_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:36f0386024588220c316c6dcc442a709491d5d6adb217ae1dd8dd1aca7c6b94a_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3c714df80db3d94b1e70cd81fd70b5f012f5e85b9cc974d8a56d0eb59174a823_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability"
}
]
}
rhsa-2025:14008
Vulnerability from csaf_redhat
Published
2025-08-19 13:50
Modified
2025-09-03 03:05
Summary
Red Hat Security Advisory: Red Hat build of Quarkus 3.20.2.SP1 security update
Notes
Topic
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE link in the References section.
Details
This release of Red Hat build of Quarkus 3.20.2.SP1 includes the following CVE fix:
* netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability
[quarkus-3.20] (CVE-2025-55163)
For more information, see the release notes page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE link in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 3.20.2.SP1 includes the following CVE fix:\n\n* netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability\n[quarkus-3.20] (CVE-2025-55163)\n\nFor more information, see the release notes page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:14008",
"url": "https://access.redhat.com/errata/RHSA-2025:14008"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/4966181",
"url": "https://access.redhat.com/articles/4966181"
},
{
"category": "external",
"summary": "https://access.redhat.com/products/quarkus/",
"url": "https://access.redhat.com/products/quarkus/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.20.2.SP1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.20.2.SP1"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20",
"url": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20"
},
{
"category": "external",
"summary": "QUARKUS-6475",
"url": "https://issues.redhat.com/browse/QUARKUS-6475"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_14008.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.20.2.SP1 security update",
"tracking": {
"current_release_date": "2025-09-03T03:05:50+00:00",
"generator": {
"date": "2025-09-03T03:05:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2025:14008",
"initial_release_date": "2025-08-19T13:50:46+00:00",
"revision_history": [
{
"date": "2025-08-19T13:50:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-19T13:50:46+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-03T03:05:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 3.20.2.SP1",
"product": {
"name": "Red Hat build of Quarkus 3.20.2.SP1",
"product_id": "Red Hat build of Quarkus 3.20.2.SP1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:3.20::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-08-13T15:01:55.372237+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2388252"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a denial of service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.20.2.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55163"
},
{
"category": "external",
"summary": "RHBZ#2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4",
"url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
}
],
"release_date": "2025-08-13T14:17:36.111000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-19T13:50:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.20.2.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14008"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.20.2.SP1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.20.2.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability"
}
]
}
rhsa-2025:14004
Vulnerability from csaf_redhat
Published
2025-08-19 13:50
Modified
2025-09-03 03:05
Summary
Red Hat Security Advisory: Red Hat build of Quarkus 3.15.6.SP1 security update
Notes
Topic
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 3.15.6.SP1 includes the following CVE fix:
* netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability [quarkus-3.15] (CVE-2025-55163)
For more information, see the release notes page listed in the References
section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 3.15.6.SP1 includes the following CVE fix:\n\n* netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability [quarkus-3.15] (CVE-2025-55163)\n\nFor more information, see the release notes page listed in the References\nsection.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:14004",
"url": "https://access.redhat.com/errata/RHSA-2025:14004"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/4966181",
"url": "https://access.redhat.com/articles/4966181"
},
{
"category": "external",
"summary": "https://access.redhat.com/products/quarkus/",
"url": "https://access.redhat.com/products/quarkus/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.15.6.SP1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.15.6.SP1"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/3.15",
"url": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/3.15"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_14004.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.15.6.SP1 security update",
"tracking": {
"current_release_date": "2025-09-03T03:05:40+00:00",
"generator": {
"date": "2025-09-03T03:05:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2025:14004",
"initial_release_date": "2025-08-19T13:50:26+00:00",
"revision_history": [
{
"date": "2025-08-19T13:50:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-19T13:50:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-03T03:05:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 3.15.6.SP1",
"product": {
"name": "Red Hat build of Quarkus 3.15.6.SP1",
"product_id": "Red Hat build of Quarkus 3.15.6.SP1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:3.15::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-08-13T15:01:55.372237+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2388252"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a denial of service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.15.6.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55163"
},
{
"category": "external",
"summary": "RHBZ#2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4",
"url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
}
],
"release_date": "2025-08-13T14:17:36.111000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-19T13:50:26+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.15.6.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14004"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.15.6.SP1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.15.6.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability"
}
]
}
rhsa-2025:14197
Vulnerability from csaf_redhat
Published
2025-08-20 19:33
Modified
2025-09-03 03:06
Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 update is now available (RHBQ 3.20.2.GA)
Notes
Topic
An update for Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 update is now available (RHBQ 3.20.2.GA).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Details
An update for Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 update is now available (RHBQ 3.20.2.GA).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:
* netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-55163)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 update is now available (RHBQ 3.20.2.GA).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.",
"title": "Topic"
},
{
"category": "general",
"text": "An update for Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 update is now available (RHBQ 3.20.2.GA).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:\n\n* netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-55163)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:14197",
"url": "https://access.redhat.com/errata/RHSA-2025:14197"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55163",
"url": "https://access.redhat.com/security/cve/CVE-2025-55163"
},
{
"category": "external",
"summary": "2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_14197.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 update is now available (RHBQ 3.20.2.GA)",
"tracking": {
"current_release_date": "2025-09-03T03:06:00+00:00",
"generator": {
"date": "2025-09-03T03:06:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2025:14197",
"initial_release_date": "2025-08-20T19:33:32+00:00",
"revision_history": [
{
"date": "2025-08-20T19:33:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-20T19:33:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-03T03:06:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Build of Apache Camel 4.10 for Quarkus 3.20",
"product": {
"name": "Red Hat Build of Apache Camel 4.10 for Quarkus 3.20",
"product_id": "Red Hat Build of Apache Camel 4.10 for Quarkus 3.20",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:apache_camel_quarkus:3.20"
}
}
}
],
"category": "product_family",
"name": "Red Hat Build of Apache Camel"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-08-13T15:01:55.372237+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2388252"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a denial of service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Build of Apache Camel 4.10 for Quarkus 3.20"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55163"
},
{
"category": "external",
"summary": "RHBZ#2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4",
"url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
}
],
"release_date": "2025-08-13T14:17:36.111000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T19:33:32+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).\nRed Hat Product Security has rated this update as having a security impact of Important.",
"product_ids": [
"Red Hat Build of Apache Camel 4.10 for Quarkus 3.20"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14197"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat Build of Apache Camel 4.10 for Quarkus 3.20"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Build of Apache Camel 4.10 for Quarkus 3.20"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability"
}
]
}
ghsa-prj3-ccx8-p6x4
Vulnerability from github
Published
2025-08-13 19:06
Modified
2025-08-13 19:06
Severity ?
VLAI Severity ?
Summary
Netty affected by MadeYouReset HTTP/2 DDoS vulnerability
Details
Below is a technical explanation of a newly discovered vulnerability in HTTP/2, which we refer to as “MadeYouReset.”
MadeYouReset Vulnerability Summary
The MadeYouReset DDoS vulnerability is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service.
Mechanism
The vulnerability uses malformed HTTP/2 control frames, or malformed flow, in order to make the server reset streams created by the client (using the RST_STREAM frame). The vulnerability could be triggered by several primitives, defined by the RFC of HTTP/2 (RFC 9113). The Primitives are: 1. WINDOW_UPDATE frame with an increment of 0 or an increment that makes the window exceed 2^31 - 1. (section 6.9 + 6.9.1) 2. HEADERS or DATA frames sent on a half-closed (remote) stream (which was closed using the END_STREAM flag). (note that for some implementations it's possible a CONTINUATION frame to trigger that as well - but it's very rare). (Section 5.1) 3. PRIORITY frame with a length other than 5. (section 6.3) From our experience, the primitives are likely to exist in the decreasing order listed above. Note that based on the implementation of the library, other primitives (which are not defined by the RFC) might exist - meaning scenarios in which RST_STREAM is not supposed to be sent, but in the implementation it does. On the other hand - some RFC-defined primitives might not work, even though they are defined by the RFC (as some implementations are not fully complying with RFC). For example, some implementations we’ve seen discard the PRIORITY frame - and thus does not return RST_STREAM, and some implementations send GO_AWAY when receiving a WINDOW_UPDATE frame with increment of 0.
The vulnerability takes advantage of a design flaw in the HTTP/2 protocol - While HTTP/2 has a limit on the number of concurrently active streams per connection (which is usually 100, and is set by the parameter SETTINGS_MAX_CONCURRENT_STREAMS), the number of active streams is not counted correctly - when a stream is reset, it is immediately considered not active, and thus unaccounted for in the active streams counter. While the protocol does not count those streams as active, the server’s backend logic still processes and handles the requests that were canceled.
Thus, the attacker can exploit this vulnerability to cause the server to handle an unbounded number of concurrent streams from a client on the same connection. The exploitation is very simple: the client issues a request in a stream, and then sends the control frame that causes the server to send a RST_STREAM.
Attack Flow
For example, a possible attack scenario can be:
1. Attacker opens an HTTP/2 connection to the server.
2. Attacker sends HEADERS frame with END_STREAM flag on a new stream X.
3. Attacker sends WINDOW_UPDATE for stream X with flow-control window of 0.
4. The server receives the WINDOW_UPDATE and immediately sends RST_STREAM for stream X to the client (+ decreases the active streams counter by 1).
The attacker can repeat steps 2+3 as rapidly as it is capable, since the active streams counter never exceeds 1 and the attacker does not need to wait for the response from the server. This leads to resource exhaustion and distributed denial of service vulnerabilities with an impact of: CPU overload and/or memory exhaustion (implementation dependent)
Comparison to Rapid Reset
The vulnerability takes advantage of a design flow in the HTTP/2 protocol that was also used in the Rapid Reset vulnerability (CVE-2023-44487) which was exploited as a zero-day in the wild in August 2023 to October 2023, against multiple services and vendors. The Rapid Reset vulnerability uses RST_STREAM frames sent from the client, in order to create an unbounded amount of concurrent streams - it was given a CVSS score of 7.5. Rapid Reset was mostly mitigated by limiting the number/rate of RST_STREAM sent from the client, which does not mitigate the MadeYouReset attack - since it triggers the server to send a RST_STREAM.
Suggested Mitigations for MadeYouReset
A quick and easy mitigation will be to limit the number/rate of RST_STREAMs sent from the server. It is also possible to limit the number/rate of control frames sent by the client (e.g. WINDOW_UPDATE and PRIORITY), and treat protocol flow errors as a connection error.
As mentioned in our previous message, this is a protocol-level vulnerability that affects multiple vendors and implementations. Given its broad impact, it is the shared responsibility of all parties involved to handle the disclosure process carefully and coordinate mitigations effectively.
If you have any questions, we will be happy to clarify or schedule a Zoom call.
Gal, Anat and Yaniv.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.3.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http2"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0.Alpha1"
},
{
"fixed": "4.2.4.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.123.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.124.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55163"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-13T19:06:56Z",
"nvd_published_at": "2025-08-13T15:15:39Z",
"severity": "HIGH"
},
"details": "Below is a technical explanation of a newly discovered vulnerability in HTTP/2, which we refer to as \u201cMadeYouReset.\u201d\n\n### MadeYouReset Vulnerability Summary\nThe MadeYouReset DDoS vulnerability is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service.\n\n### Mechanism\nThe vulnerability uses malformed HTTP/2 control frames, or malformed flow, in order to make the server reset streams created by the client (using the RST_STREAM frame). \nThe vulnerability could be triggered by several primitives, defined by the RFC of HTTP/2 (RFC 9113). The Primitives are:\n1. WINDOW_UPDATE frame with an increment of 0 or an increment that makes the window exceed 2^31 - 1. (section 6.9 + 6.9.1)\n2. HEADERS or DATA frames sent on a half-closed (remote) stream (which was closed using the END_STREAM flag). (note that for some implementations it\u0027s possible a CONTINUATION frame to trigger that as well - but it\u0027s very rare). (Section 5.1)\n3. PRIORITY frame with a length other than 5. (section 6.3)\nFrom our experience, the primitives are likely to exist in the decreasing order listed above.\nNote that based on the implementation of the library, other primitives (which are not defined by the RFC) might exist - meaning scenarios in which RST_STREAM is not supposed to be sent, but in the implementation it does. On the other hand - some RFC-defined primitives might not work, even though they are defined by the RFC (as some implementations are not fully complying with RFC). For example, some implementations we\u2019ve seen discard the PRIORITY frame - and thus does not return RST_STREAM, and some implementations send GO_AWAY when receiving a WINDOW_UPDATE frame with increment of 0.\n\nThe vulnerability takes advantage of a design flaw in the HTTP/2 protocol - While HTTP/2 has a limit on the number of concurrently active streams per connection (which is usually 100, and is set by the parameter SETTINGS_MAX_CONCURRENT_STREAMS), the number of active streams is not counted correctly - when a stream is reset, it is immediately considered not active, and thus unaccounted for in the active streams counter. \nWhile the protocol does not count those streams as active, the server\u2019s backend logic still processes and handles the requests that were canceled.\n\nThus, the attacker can exploit this vulnerability to cause the server to handle an unbounded number of concurrent streams from a client on the same connection. The exploitation is very simple: the client issues a request in a stream, and then sends the control frame that causes the server to send a RST_STREAM.\n\n### Attack Flow\nFor example, a possible attack scenario can be: \n1. Attacker opens an HTTP/2 connection to the server.\n2. Attacker sends HEADERS frame with END_STREAM flag on a new stream X. \n3. Attacker sends WINDOW_UPDATE for stream X with flow-control window of 0.\n4. The server receives the WINDOW_UPDATE and immediately sends RST_STREAM for stream X to the client (+ decreases the active streams counter by 1).\n\nThe attacker can repeat steps 2+3 as rapidly as it is capable, since the active streams counter never exceeds 1 and the attacker does not need to wait for the response from the server.\nThis leads to resource exhaustion and distributed denial of service vulnerabilities with an impact of: CPU overload and/or memory exhaustion (implementation dependent)\n\n### Comparison to Rapid Reset\nThe vulnerability takes advantage of a design flow in the HTTP/2 protocol that was also used in the Rapid Reset vulnerability (CVE-2023-44487) which was exploited as a zero-day in the wild in August 2023 to October 2023, against multiple services and vendors.\nThe Rapid Reset vulnerability uses RST_STREAM frames sent from the client, in order to create an unbounded amount of concurrent streams - it was given a CVSS score of 7.5.\nRapid Reset was mostly mitigated by limiting the number/rate of RST_STREAM sent from the client, which does not mitigate the MadeYouReset attack - since it triggers the server to send a RST_STREAM.\n\n### Suggested Mitigations for MadeYouReset\nA quick and easy mitigation will be to limit the number/rate of RST_STREAMs sent from the server.\nIt is also possible to limit the number/rate of control frames sent by the client (e.g. WINDOW_UPDATE and PRIORITY), and treat protocol flow errors as a connection error.\n\nAs mentioned in our previous message, this is a protocol-level vulnerability that affects multiple vendors and implementations. Given its broad impact, it is the shared responsibility of all parties involved to handle the disclosure process carefully and coordinate mitigations effectively.\n\n\nIf you have any questions, we will be happy to clarify or schedule a Zoom call.\n\nGal, Anat and Yaniv.",
"id": "GHSA-prj3-ccx8-p6x4",
"modified": "2025-08-13T19:06:57Z",
"published": "2025-08-13T19:06:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"type": "PACKAGE",
"url": "https://github.com/netty/netty"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Netty affected by MadeYouReset HTTP/2 DDoS vulnerability"
}
wid-sec-w-2025-1830
Vulnerability from csaf_certbund
Published
2025-08-13 22:00
Modified
2025-09-02 22:00
Summary
http/2 Implementierungen: Schwachstelle ermöglicht Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
http/2 ist das HyperText Transfer Protocol in Version 2.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in verschiednen http/2 Implementierungen ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
- Sonstiges
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "http/2 ist das HyperText Transfer Protocol in Version 2.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in verschiednen http/2 Implementierungen ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1830 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1830.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1830 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1830"
},
{
"category": "external",
"summary": "Gal Bar Nahum\u0027s Blog - MadeYouReset Series vom 2025-08-13",
"url": "https://galbarnahum.com/made-you-reset"
},
{
"category": "external",
"summary": "CERT/CC VU#767506 vom 2025-08-13",
"url": "https://kb.cert.org/vuls/id/767506"
},
{
"category": "external",
"summary": "Varnish Security Advisory VSV00017 vom 2025-08-13",
"url": "https://varnish-cache.org/security/VSV00017.html"
},
{
"category": "external",
"summary": "Mailing List OSS Security vom 2025-08-13",
"url": "https://seclists.org/oss-sec/2025/q3/95"
},
{
"category": "external",
"summary": "Tomcat 9 Security vom 2025-08-13",
"url": "https://tomcat.apache.org/security-9.html"
},
{
"category": "external",
"summary": "Tomcat 10 Security vom 2025-08-13",
"url": "https://tomcat.apache.org/security-10.html"
},
{
"category": "external",
"summary": "Tomcat 11 Security vom 2025-08-13",
"url": "https://tomcat.apache.org/security-11.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:13686 vom 2025-08-13",
"url": "https://access.redhat.com/errata/RHSA-2025:13686"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:13685 vom 2025-08-14",
"url": "https://access.redhat.com/errata/RHSA-2025:13685"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15449-1 vom 2025-08-16",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LD37QPQBLKIFMKWJXACHGPA7WALFCOM7/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14004 vom 2025-08-19",
"url": "https://access.redhat.com/errata/RHSA-2025:14004"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14008 vom 2025-08-19",
"url": "https://access.redhat.com/errata/RHSA-2025:14008"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14182 vom 2025-08-20",
"url": "https://access.redhat.com/errata/RHSA-2025:14182"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14177 vom 2025-08-20",
"url": "https://access.redhat.com/errata/RHSA-2025:14177"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14180 vom 2025-08-21",
"url": "https://access.redhat.com/errata/RHSA-2025:14180"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-MMXM-8W33-WC4H vom 2025-08-20",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14179 vom 2025-08-20",
"url": "https://access.redhat.com/errata/RHSA-2025:14179"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14178 vom 2025-08-20",
"url": "https://access.redhat.com/errata/RHSA-2025:14178"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14183 vom 2025-08-20",
"url": "https://access.redhat.com/errata/RHSA-2025:14183"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-14177 vom 2025-08-21",
"url": "https://linux.oracle.com/errata/ELSA-2025-14177.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14197 vom 2025-08-20",
"url": "https://access.redhat.com/errata/RHSA-2025:14197"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14181 vom 2025-08-20",
"url": "https://access.redhat.com/errata/RHSA-2025:14181"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-14181 vom 2025-08-21",
"url": "https://linux.oracle.com/errata/ELSA-2025-14181.html"
},
{
"category": "external",
"summary": "New Varnish Cache releases (7.7.3, 7.6.5 and 6.0.16) vom 2025-08-20",
"url": "https://varnish-cache.org/lists/pipermail/varnish-announce/2025-August/000771.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-14178 vom 2025-08-21",
"url": "https://linux.oracle.com/errata/ELSA-2025-14178.html"
},
{
"category": "external",
"summary": "PoC CVE-2025-8671 vom 2025-08-24",
"url": "https://github.com/abiyeenzo/CVE-2025-8671"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15483-1 vom 2025-08-23",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EXDF5TMMN4LHEDWLII7MMDPWQR5D6UWU/"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-14179 vom 2025-08-22",
"url": "https://linux.oracle.com/errata/ELSA-2025-14179.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15490-1 vom 2025-08-26",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HVS2SK75HFDIVZCEQSOAOL6TTJCJFJZK/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15491-1 vom 2025-08-26",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PFPY4ZCVL2NZMRDOWWAY4ZBXIIA663BF/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15489-1 vom 2025-08-26",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UBHMT4B4D7HRMDPQJYDEV5UUSG7LVAHI/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:02992-1 vom 2025-08-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022280.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:02993-1 vom 2025-08-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022294.html"
},
{
"category": "external",
"summary": "Camunda Security Notice 144 vom 2025-08-28",
"url": "https://docs.camunda.org/security/notices/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03006-1 vom 2025-08-28",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022326.html"
},
{
"category": "external",
"summary": "ATOSS Sicherheitsmitteilung: Apache Tomcat-Sicherheitsl\u00fccken vom 2025-08-28",
"url": "https://www.atoss.ch/de-ch/sicherheit/security-news"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14911 vom 2025-08-28",
"url": "https://access.redhat.com/errata/RHSA-2025:14911"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03024-1 vom 2025-08-29",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022345.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03021-1 vom 2025-08-29",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022331.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:02993-2 vom 2025-09-01",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-September/022373.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:02993-2 vom 2025-09-01",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WDVRXONEUUASOWSNXL4RQLFHU45FFDH6/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14919 vom 2025-09-03",
"url": "https://access.redhat.com/errata/RHSA-2025:14919"
}
],
"source_lang": "en-US",
"title": "http/2 Implementierungen: Schwachstelle erm\u00f6glicht Denial of Service",
"tracking": {
"current_release_date": "2025-09-02T22:00:00.000+00:00",
"generator": {
"date": "2025-09-03T07:06:15.985+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-1830",
"initial_release_date": "2025-08-13T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-08-13T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-08-17T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2025-08-19T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-08-20T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat, Open Source, Oracle Linux und European Union Vulnerability Database aufgenommen"
},
{
"date": "2025-08-21T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-08-24T22:00:00.000+00:00",
"number": "6",
"summary": "PoC aufgenommen"
},
{
"date": "2025-08-26T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2025-08-27T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-08-28T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von SUSE und Red Hat aufgenommen"
},
{
"date": "2025-08-31T22:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-09-01T22:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-09-02T22:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "12"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "ATOSS Staff Efficiency Suite",
"product": {
"name": "ATOSS Staff Efficiency Suite",
"product_id": "T041371",
"product_identification_helper": {
"cpe": "cpe:/a:atoss:staff_efficiency_suite:-"
}
}
}
],
"category": "vendor",
"name": "ATOSS"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c11.0.10",
"product": {
"name": "Apache Tomcat \u003c11.0.10",
"product_id": "1821869"
}
},
{
"category": "product_version",
"name": "11.0.10",
"product": {
"name": "Apache Tomcat 11.0.10",
"product_id": "1821869-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:tomcat:11.0.10"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.0.108",
"product": {
"name": "Apache Tomcat \u003c9.0.108",
"product_id": "1821870"
}
},
{
"category": "product_version",
"name": "9.0.108",
"product": {
"name": "Apache Tomcat 9.0.108",
"product_id": "1821870-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:tomcat:9.0.108"
}
}
},
{
"category": "product_version_range",
"name": "\u003c10.1.44",
"product": {
"name": "Apache Tomcat \u003c10.1.44",
"product_id": "T046241"
}
},
{
"category": "product_version",
"name": "10.1.44",
"product": {
"name": "Apache Tomcat 10.1.44",
"product_id": "T046241-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:tomcat:10.1.44"
}
}
}
],
"category": "product_name",
"name": "Tomcat"
}
],
"category": "vendor",
"name": "Apache"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c9.4.58",
"product": {
"name": "Eclipse Jetty \u003c9.4.58",
"product_id": "T046367"
}
},
{
"category": "product_version",
"name": "9.4.58",
"product": {
"name": "Eclipse Jetty 9.4.58",
"product_id": "T046367-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:eclipse:jetty:9.4.58"
}
}
},
{
"category": "product_version_range",
"name": "\u003c10.0.26",
"product": {
"name": "Eclipse Jetty \u003c10.0.26",
"product_id": "T046368"
}
},
{
"category": "product_version",
"name": "10.0.26",
"product": {
"name": "Eclipse Jetty 10.0.26",
"product_id": "T046368-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:eclipse:jetty:10.0.26"
}
}
},
{
"category": "product_version_range",
"name": "\u003c11.0.26",
"product": {
"name": "Eclipse Jetty \u003c11.0.26",
"product_id": "T046369"
}
},
{
"category": "product_version",
"name": "11.0.26",
"product": {
"name": "Eclipse Jetty 11.0.26",
"product_id": "T046369-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:eclipse:jetty:11.0.26"
}
}
},
{
"category": "product_version_range",
"name": "\u003c12.0.25",
"product": {
"name": "Eclipse Jetty \u003c12.0.25",
"product_id": "T046370"
}
},
{
"category": "product_version",
"name": "12.0.25",
"product": {
"name": "Eclipse Jetty 12.0.25",
"product_id": "T046370-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:eclipse:jetty:12.0.25"
}
}
},
{
"category": "product_version_range",
"name": "\u003c12.1.0.beta3",
"product": {
"name": "Eclipse Jetty \u003c12.1.0.beta3",
"product_id": "T046371"
}
},
{
"category": "product_version",
"name": "12.1.0.beta3",
"product": {
"name": "Eclipse Jetty 12.1.0.beta3",
"product_id": "T046371-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:eclipse:jetty:12.1.0.beta3"
}
}
}
],
"category": "product_name",
"name": "Jetty"
}
],
"category": "vendor",
"name": "Eclipse"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Optimize \u003c3.15.7",
"product": {
"name": "Open Source Camunda Optimize \u003c3.15.7",
"product_id": "T046585"
}
},
{
"category": "product_version",
"name": "Optimize 3.15.7",
"product": {
"name": "Open Source Camunda Optimize 3.15.7",
"product_id": "T046585-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:camunda:camunda:optimize_3.15.7"
}
}
},
{
"category": "product_version_range",
"name": "Optimize \u003c3.14.8",
"product": {
"name": "Open Source Camunda Optimize \u003c3.14.8",
"product_id": "T046586"
}
},
{
"category": "product_version",
"name": "Optimize 3.14.8",
"product": {
"name": "Open Source Camunda Optimize 3.14.8",
"product_id": "T046586-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:camunda:camunda:optimize_3.14.8"
}
}
},
{
"category": "product_version_range",
"name": "Optimize \u003c3.13.19",
"product": {
"name": "Open Source Camunda Optimize \u003c3.13.19",
"product_id": "T046587"
}
},
{
"category": "product_version",
"name": "Optimize 3.13.19",
"product": {
"name": "Open Source Camunda Optimize 3.13.19",
"product_id": "T046587-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:camunda:camunda:optimize_3.13.19"
}
}
}
],
"category": "product_name",
"name": "Camunda"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c7.6.4",
"product": {
"name": "Open Source Varnish HTTP Cache \u003c7.6.4",
"product_id": "T046242"
}
},
{
"category": "product_version",
"name": "7.6.4",
"product": {
"name": "Open Source Varnish HTTP Cache 7.6.4",
"product_id": "T046242-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:varnish_http_accelerator_integration_project:varnish:7.6.4"
}
}
},
{
"category": "product_version_range",
"name": "\u003c7.7.2",
"product": {
"name": "Open Source Varnish HTTP Cache \u003c7.7.2",
"product_id": "T046243"
}
},
{
"category": "product_version",
"name": "7.7.2",
"product": {
"name": "Open Source Varnish HTTP Cache 7.7.2",
"product_id": "T046243-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:varnish_http_accelerator_integration_project:varnish:7.7.2"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.0.15",
"product": {
"name": "Open Source Varnish HTTP Cache \u003c6.0.15",
"product_id": "T046244"
}
},
{
"category": "product_version",
"name": "6.0.15",
"product": {
"name": "Open Source Varnish HTTP Cache 6.0.15",
"product_id": "T046244-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:varnish_http_accelerator_integration_project:varnish:6.0.15"
}
}
}
],
"category": "product_name",
"name": "Varnish HTTP Cache"
},
{
"category": "product_name",
"name": "Open Source lighttpd",
"product": {
"name": "Open Source lighttpd",
"product_id": "T000812",
"product_identification_helper": {
"cpe": "cpe:/a:lighttpd:lighttpd:-"
}
}
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"category": "product_version",
"name": "Apache Camel 1",
"product": {
"name": "Red Hat Enterprise Linux Apache Camel 1",
"product_id": "T044468",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:apache_camel_1"
}
}
},
{
"category": "product_version",
"name": "Quarkus 3.15.6.SP1",
"product": {
"name": "Red Hat Enterprise Linux Quarkus 3.15.6.SP1",
"product_id": "T046330",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:quarkus_3.15.6.sp1"
}
}
},
{
"category": "product_version",
"name": "Quarkus 3.20.2.SP1",
"product": {
"name": "Red Hat Enterprise Linux Quarkus 3.20.2.SP1",
"product_id": "T046331",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:quarkus_3.20.2.sp1"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "Camel for Spring Boot 1",
"product": {
"name": "Red Hat Integration Camel for Spring Boot 1",
"product_id": "T035240",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:integration:camel_for_spring_boot_1"
}
}
}
],
"category": "product_name",
"name": "Integration"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c6.1.2",
"product": {
"name": "Red Hat JBoss Web Server \u003c6.1.2",
"product_id": "T046251"
}
},
{
"category": "product_version",
"name": "6.1.2",
"product": {
"name": "Red Hat JBoss Web Server 6.1.2",
"product_id": "T046251-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1.2"
}
}
}
],
"category": "product_name",
"name": "JBoss Web Server"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Specification http/2",
"product": {
"name": "Specification http/2",
"product_id": "T030386",
"product_identification_helper": {
"cpe": "cpe:/a:ietf:http2:-"
}
}
}
],
"category": "vendor",
"name": "Specification"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48989",
"product_status": {
"known_affected": [
"T030386",
"T046370",
"67646",
"T046371",
"T004914",
"T000812",
"1821870",
"T046330",
"T046331",
"T046251",
"T035240",
"1821869",
"T046369",
"T041371",
"T044468",
"T002207",
"T027843",
"T046242",
"T046243",
"T046241",
"T046367",
"T046587",
"T046368",
"T046244",
"T046585",
"T046586"
]
},
"release_date": "2025-08-13T22:00:00.000+00:00",
"title": "CVE-2025-48989"
},
{
"cve": "CVE-2025-5115",
"product_status": {
"known_affected": [
"T030386",
"T046370",
"67646",
"T046371",
"T004914",
"T000812",
"1821870",
"T046330",
"T046331",
"T046251",
"T035240",
"1821869",
"T046369",
"T041371",
"T044468",
"T002207",
"T027843",
"T046242",
"T046243",
"T046241",
"T046367",
"T046587",
"T046368",
"T046244",
"T046585",
"T046586"
]
},
"release_date": "2025-08-13T22:00:00.000+00:00",
"title": "CVE-2025-5115"
},
{
"cve": "CVE-2025-55163",
"product_status": {
"known_affected": [
"T030386",
"T046370",
"67646",
"T046371",
"T004914",
"T000812",
"1821870",
"T046330",
"T046331",
"T046251",
"T035240",
"1821869",
"T046369",
"T041371",
"T044468",
"T002207",
"T027843",
"T046242",
"T046243",
"T046241",
"T046367",
"T046587",
"T046368",
"T046244",
"T046585",
"T046586"
]
},
"release_date": "2025-08-13T22:00:00.000+00:00",
"title": "CVE-2025-55163"
},
{
"cve": "CVE-2025-8671",
"product_status": {
"known_affected": [
"T030386",
"T046370",
"67646",
"T046371",
"T004914",
"T000812",
"1821870",
"T046330",
"T046331",
"T046251",
"T035240",
"1821869",
"T046369",
"T041371",
"T044468",
"T002207",
"T027843",
"T046242",
"T046243",
"T046241",
"T046367",
"T046587",
"T046368",
"T046244",
"T046585",
"T046586"
]
},
"release_date": "2025-08-13T22:00:00.000+00:00",
"title": "CVE-2025-8671"
}
]
}
opensuse-su-2025:15484-1
Vulnerability from csaf_opensuse
Published
2025-08-22 00:00
Modified
2025-08-22 00:00
Summary
netty-4.1.124-1.1 on GA media
Notes
Title of the patch
netty-4.1.124-1.1 on GA media
Description of the patch
These are all security issues fixed in the netty-4.1.124-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15484
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "netty-4.1.124-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the netty-4.1.124-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15484",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15484-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55163 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55163/"
}
],
"title": "netty-4.1.124-1.1 on GA media",
"tracking": {
"current_release_date": "2025-08-22T00:00:00Z",
"generator": {
"date": "2025-08-22T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15484-1",
"initial_release_date": "2025-08-22T00:00:00Z",
"revision_history": [
{
"date": "2025-08-22T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.124-1.1.aarch64",
"product": {
"name": "netty-4.1.124-1.1.aarch64",
"product_id": "netty-4.1.124-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.124-1.1.aarch64",
"product": {
"name": "netty-bom-4.1.124-1.1.aarch64",
"product_id": "netty-bom-4.1.124-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.124-1.1.aarch64",
"product": {
"name": "netty-javadoc-4.1.124-1.1.aarch64",
"product_id": "netty-javadoc-4.1.124-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.124-1.1.aarch64",
"product": {
"name": "netty-parent-4.1.124-1.1.aarch64",
"product_id": "netty-parent-4.1.124-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.124-1.1.ppc64le",
"product": {
"name": "netty-4.1.124-1.1.ppc64le",
"product_id": "netty-4.1.124-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.124-1.1.ppc64le",
"product": {
"name": "netty-bom-4.1.124-1.1.ppc64le",
"product_id": "netty-bom-4.1.124-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.124-1.1.ppc64le",
"product": {
"name": "netty-javadoc-4.1.124-1.1.ppc64le",
"product_id": "netty-javadoc-4.1.124-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.124-1.1.ppc64le",
"product": {
"name": "netty-parent-4.1.124-1.1.ppc64le",
"product_id": "netty-parent-4.1.124-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.124-1.1.s390x",
"product": {
"name": "netty-4.1.124-1.1.s390x",
"product_id": "netty-4.1.124-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.124-1.1.s390x",
"product": {
"name": "netty-bom-4.1.124-1.1.s390x",
"product_id": "netty-bom-4.1.124-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.124-1.1.s390x",
"product": {
"name": "netty-javadoc-4.1.124-1.1.s390x",
"product_id": "netty-javadoc-4.1.124-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.124-1.1.s390x",
"product": {
"name": "netty-parent-4.1.124-1.1.s390x",
"product_id": "netty-parent-4.1.124-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.124-1.1.x86_64",
"product": {
"name": "netty-4.1.124-1.1.x86_64",
"product_id": "netty-4.1.124-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.124-1.1.x86_64",
"product": {
"name": "netty-bom-4.1.124-1.1.x86_64",
"product_id": "netty-bom-4.1.124-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.124-1.1.x86_64",
"product": {
"name": "netty-javadoc-4.1.124-1.1.x86_64",
"product_id": "netty-javadoc-4.1.124-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.124-1.1.x86_64",
"product": {
"name": "netty-parent-4.1.124-1.1.x86_64",
"product_id": "netty-parent-4.1.124-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.124-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.124-1.1.aarch64"
},
"product_reference": "netty-4.1.124-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.124-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.124-1.1.ppc64le"
},
"product_reference": "netty-4.1.124-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.124-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.124-1.1.s390x"
},
"product_reference": "netty-4.1.124-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.124-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.124-1.1.x86_64"
},
"product_reference": "netty-4.1.124-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.124-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.124-1.1.aarch64"
},
"product_reference": "netty-bom-4.1.124-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.124-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.124-1.1.ppc64le"
},
"product_reference": "netty-bom-4.1.124-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.124-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.124-1.1.s390x"
},
"product_reference": "netty-bom-4.1.124-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.124-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.124-1.1.x86_64"
},
"product_reference": "netty-bom-4.1.124-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.124-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.aarch64"
},
"product_reference": "netty-javadoc-4.1.124-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.124-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.ppc64le"
},
"product_reference": "netty-javadoc-4.1.124-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.124-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.s390x"
},
"product_reference": "netty-javadoc-4.1.124-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.124-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.x86_64"
},
"product_reference": "netty-javadoc-4.1.124-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.124-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.124-1.1.aarch64"
},
"product_reference": "netty-parent-4.1.124-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.124-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.124-1.1.ppc64le"
},
"product_reference": "netty-parent-4.1.124-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.124-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.124-1.1.s390x"
},
"product_reference": "netty-parent-4.1.124-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.124-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.124-1.1.x86_64"
},
"product_reference": "netty-parent-4.1.124-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55163",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55163"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.124-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.124-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.124-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.124-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.124-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.124-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.124-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.124-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.124-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.124-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.124-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.124-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55163",
"url": "https://www.suse.com/security/cve/CVE-2025-55163"
},
{
"category": "external",
"summary": "SUSE Bug 1243888 for CVE-2025-55163",
"url": "https://bugzilla.suse.com/1243888"
},
{
"category": "external",
"summary": "SUSE Bug 1244252 for CVE-2025-55163",
"url": "https://bugzilla.suse.com/1244252"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.124-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.124-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.124-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.124-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.124-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.124-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.124-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.124-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.124-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.124-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.124-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.124-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.124-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.124-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.124-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.124-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.124-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.124-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.124-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.124-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.124-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.124-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.124-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.124-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.124-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-08-22T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-55163"
}
]
}
fkie_cve-2025-55163
Vulnerability from fkie_nvd
Published
2025-08-13 15:15
Modified
2025-08-13 17:33
Severity ?
Summary
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final."
},
{
"lang": "es",
"value": "Netty es un framework de aplicaciones de red as\u00edncrono y basado en eventos. En versiones anteriores a la 4.1.124.Final y la 4.2.4.Final, Netty era vulnerable a ataques DDoS de MadeYouReset. Esta vulnerabilidad l\u00f3gica del protocolo HTTP/2 utiliza tramas de control HTTP/2 malformadas para superar el l\u00edmite m\u00e1ximo de transmisiones concurrentes, lo que provoca el agotamiento de recursos y una denegaci\u00f3n de servicio distribuida. Este problema se ha corregido en las versiones 4.1.124.Final y la 4.2.4.Final."
}
],
"id": "CVE-2025-55163",
"lastModified": "2025-08-13T17:33:46.673",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-08-13T15:15:39.390",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…