A critical **CVE-2025-48989** vulnerability, dubbed *‘Made You Reset’*, was discovered in **Apache Tomcat’s HTTP/2 implementation**, enabling attackers to execute **devastating denial-of-service (DoS) attacks** by exploiting memory exhaustion flaws. The flaw affects **Tomcat versions 9.0.0–11.0.9**, risking crashes in thousands of global web servers. Attackers manipulate **HTTP/2 stream resets**, forcing servers into an *OutOfMemoryError* state, rendering them unresponsive. The vulnerability requires **no authentication**, only network access to send malicious requests. While patches (Tomcat **11.0.10, 10.1.44, 9.0.108+**) were released, unpatched systems remain exposed to **service outages, financial losses from downtime, and reputational damage**. Older end-of-life versions may also be vulnerable, amplifying risks for organizations relying on legacy infrastructure. The attack leverages **HTTP/2 multiplexing** to overwhelm memory pools, disrupting business-critical applications. Mitigations include **urgent upgrades, rate limiting, and monitoring for abnormal memory spikes** to prevent exploitation.
Source: https://cybersecuritynews.com/apache-tomcat-dos-vulnerabilities-2/
TPRM report: https://www.rankiteo.com/company/the-apache-software-foundation
"id": "the738081425",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "8/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': ['Organizations Using Apache '
'Tomcat (Potentially Thousands '
'of Web Servers)'],
'industry': 'Software Development',
'location': 'Global',
'name': 'Apache Software Foundation',
'type': 'Open-Source Organization'}],
'attack_vector': ['Network',
'HTTP/2 Protocol Manipulation',
'Stream Reset Frames'],
'customer_advisories': ['Organizations Using Apache Tomcat Urged to Apply '
'Patches',
'Public-Facing Web Applications Prioritized for '
'Updates'],
'date_publicly_disclosed': '2025-08-13',
'description': 'A critical security vulnerability in Apache Tomcat’s HTTP/2 '
"implementation (CVE-2025-48989, dubbed 'Made You Reset') "
'enables attackers to launch devastating denial-of-service '
'(DoS) attacks by exploiting weaknesses in the connection '
'reset mechanism. The flaw causes servers to exhaust memory '
'resources, leading to OutOfMemoryError and unresponsiveness. '
'It affects Apache Tomcat versions 11.0.0-M1 through 11.0.9, '
'10.1.0-M1 through 10.1.43, and 9.0.0.M1 through 9.0.107, '
'along with potentially vulnerable older end-of-life (EOL) '
'versions. The attack leverages HTTP/2 multiplexing to '
'manipulate stream reset frames, forcing the server to '
'maintain half-open connections and deplete memory.',
'impact': {'brand_reputation_impact': ['Potential Loss of Trust in Affected '
'Services',
'Negative Publicity for Organizations '
'Using Vulnerable Versions'],
'downtime': ['Potential Extended Outages Due to OutOfMemoryError',
'Service Unavailability for Legitimate Users'],
'operational_impact': ['Disruption of Web Services',
'Degraded Performance',
'Resource Exhaustion'],
'systems_affected': ['Apache Tomcat Servers (Versions 9.0.0-M1 to '
'11.0.9)',
'Web Applications Relying on Affected Tomcat '
'Instances']},
'investigation_status': 'Disclosed; Patches Released',
'lessons_learned': ['Importance of Timely Patching for Critical '
'Vulnerabilities in Widely Used Software',
'Need for Robust Memory Management in HTTP/2 '
'Implementations',
'Value of Network-Level Mitigations (e.g., Rate Limiting) '
'During Patch Deployment'],
'post_incident_analysis': {'corrective_actions': ['Patched HTTP/2 '
'Implementation in Tomcat '
'Versions 11.0.10, 10.1.44, '
'and 9.0.108',
'Enhanced Memory Management '
'for Connection States',
'Improved Handling of '
'Stream Reset Frames'],
'root_causes': ['Flaw in HTTP/2 Stream Reset and '
'Connection Management in Apache '
'Tomcat',
'Inadequate Memory Release '
'Mechanisms for Half-Open '
'Connections',
'Lack of Input Validation for '
'Malicious HTTP/2 Frames']},
'recommendations': ['Upgrade to Patched Apache Tomcat Versions (11.0.10, '
'10.1.44, or 9.0.108+) Immediately',
'Disable HTTP/2 Protocol if Not Required for Operations',
'Implement Rate Limiting and Connection Throttling for '
'HTTP/2 Traffic',
'Monitor Server Memory Usage for Anomalies Indicative of '
'Exploitation',
'Conduct Regular Vulnerability Assessments for Web Server '
'Infrastructure'],
'references': [{'source': 'Security Researchers (Tel Aviv University) - Gal '
'Bar Nahum, Anat Bremler-Barr, Yaniv Harel'},
{'source': 'Apache Software Foundation Advisory'}],
'response': {'communication_strategy': ['Public Disclosure by Security '
'Researchers (Tel Aviv University)',
'Advisories from Apache Software '
'Foundation'],
'containment_measures': ['Monitoring for Unusual Memory '
'Consumption Patterns',
'Network-Level Protections (Rate '
'Limiting, Connection Throttling)'],
'enhanced_monitoring': ['Monitoring for HTTP/2-Based Attacks',
'Tracking Memory Usage Anomalies'],
'remediation_measures': ['Immediate Upgrade to Patched Versions '
'(Tomcat 11.0.10, 10.1.44, or '
'9.0.108+)']},
'stakeholder_advisories': ['Apache Software Foundation',
'Security Research Community',
'System Administrators of Affected Tomcat '
'Instances'],
'title': "Apache Tomcat HTTP/2 'Made You Reset' Denial-of-Service "
'Vulnerability (CVE-2025-48989)',
'type': ['Vulnerability', 'Denial-of-Service (DoS)'],
'vulnerability_exploited': "CVE-2025-48989 (HTTP/2 'Made You Reset' Memory "
'Exhaustion)'}