Apache Tomcat vulnerabilities allow Denial of Service (DoS) attacks

A critical security vulnerability has been discovered in Apache Tomcat’s HTTP/2 implementation, enabling attackers to launch severe denial-of-service (DoS) attacks against web servers. This vulnerability, designated as CVE-2025-48989 and referred to as the “Made You Reset” attack, affects multiple versions of the widely used Java servlet container, posing significant risks to web applications globally. Rated as High severity, the flaw impacts Apache Tomcat versions 11.0.0-M1 through 11.0.9, 10.1.0-M1 through 10.1.43, and 9.0.0.M1 through 9.0.107. Security researchers from Tel Aviv University identified the vulnerability, which can lead to server crashes and unresponsiveness due to memory exhaustion. Immediate upgrades to patched versions, such as Apache Tomcat 11.0.10, 10.1.44, or 9.0.108, are essential to prevent exploitation.

The “Made You Reset” attack exploits weaknesses in Tomcat’s HTTP/2 protocol, specifically targeting the connection reset mechanism. When executed, the attack typically results in an OutOfMemoryError, causing the server to exhaust its memory resources and become unresponsive to legitimate requests. Attackers can craft malicious HTTP/2 requests that force the server to allocate excessive memory without proper release, leading to a memory leak. This behaviour can be triggered repeatedly, overwhelming the server’s memory pool and resulting in a denial-of-service condition. The attack leverages the HTTP/2 multiplexing feature, allowing multiple streams to be processed over a single TCP connection. By manipulating stream reset frames and connection management, attackers can force Tomcat to maintain numerous half-open connections, leading to resource exhaustion.