CVE-2025-55163
Netty MadeYouReset HTTP/2 DDoS Vulnerability
Description
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
INFO
Published Date :
Aug. 13, 2025, 3:15 p.m.
Last Modified :
Sept. 10, 2025, 2:48 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 4.0 | HIGH | [email protected] |
Solution
- Update Netty to version 4.1.124.Final or 4.2.4.Final.
- Apply security patches to the Netty framework.
Public PoC/Exploit Available at Github
CVE-2025-55163 has a 1 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-55163.
| URL | Resource |
|---|---|
| https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4 | Exploit Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-55163 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-55163
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Dockerfile
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-55163 vulnerability anywhere in the article.
-
The Cyber Express
New HTTP/2 DoS Vulnerability Prompts Vendor and Project Fixes
A new HTTP/2 denial of service (DoS) vulnerability that circumvents mitigations put in place after 2023’s “Rapid Reset” vulnerability is largely being addressed by affected vendors and projects, thank ... Read more
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 33
The Good | DoJ Charges $100M Fraud Ring & Seizes $1M in Crypto from BlackSuit Ransomware The DoJ has charged four Ghanaian nationals, Isaac Oduro Boateng (aka “Kofi Boat”), Inusah Ahmed (aka “Pascal”) ... Read more
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 33
The Good | DoJ Charges $100M Fraud Ring & Seizes $1M in Crypto from BlackSuit Ransomware The DoJ has charged four Ghanaian nationals, Isaac Oduro Boateng (aka “Kofi Boat”), Inusah Ahmed (aka “Pascal”) ... Read more
-
CybersecurityNews
New HTTP/2 MadeYouReset Vulnerability Enables Large-Scale DDoS Attacks
Security researchers have identified a new denial-of-service (DoS) vulnerability in HTTP/2 implementations, referred to as MadeYouReset (CVE-2025-8671). This discovery represents a notable escalation ... Read more
-
The Hacker News
New HTTP/2 'MadeYouReset' Vulnerability Enables Large-Scale DoS Attacks
Aug 14, 2025Ravie LakshmananServer Security / Vulnerability Multiple HTTP/2 implementations have been found susceptible to a new attack technique called MadeYouReset that could be explored to conduc ... Read more
The following table lists the changes that have been made to the
CVE-2025-55163 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Sep. 10, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Added CPE Configuration OR *cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* versions up to (excluding) 4.1.124 *cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* versions from (including) 4.2.0 up to (excluding) 4.2.4 Added Reference Type GitHub, Inc.: https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4 Types: Exploit, Vendor Advisory -
New CVE Received by [email protected]
Aug. 13, 2025
Action Type Old Value New Value Added Description Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final. Added CVSS V4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-770 Added Reference https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4