VulnerableCode Package Details - pkg:maven/io.undertow/undertow-core@2.2.33.Final

Search for packages

Vulnerability	Summary	Fixed by
VCID-5585-a76n-zubf Aliases: CVE-2023-5379	Allocation of Resources Without Limits or Throttling A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS).	2.3.11.Final Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ns3p-22xg-q3bz Aliases: CVE-2025-9784 GHSA-95h4-w6j8-2rp8	Undertow MadeYouReset HTTP/2 DDoS Vulnerability A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).	2.2.38.Final Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.3.20.Final Affected by 0 other vulnerabilities.
VCID-xme8-usmd-vqg3 Aliases: CVE-2024-7885 GHSA-9623-mqmm-5rcf	Undertow vulnerable to Race Condition A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.	2.2.36.Final Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.3.17.Final Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-5585-a76n-zubf
Aliases:
CVE-2023-5379

Allocation of Resources Without Limits or Throttling A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS).

2.3.11.Final
Affected by 4 other vulnerabilities.

VCID-ns3p-22xg-q3bz
Aliases:
CVE-2025-9784
GHSA-95h4-w6j8-2rp8

Undertow MadeYouReset HTTP/2 DDoS Vulnerability A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

2.2.38.Final
Affected by 1 other vulnerability.

2.3.20.Final
Affected by 0 other vulnerabilities.

VCID-xme8-usmd-vqg3
Aliases:
CVE-2024-7885
GHSA-9623-mqmm-5rcf

Undertow vulnerable to Race Condition A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

2.2.36.Final
Affected by 2 other vulnerabilities.

2.3.17.Final
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-df16-86dz-nfc9	Undertow's url-encoded request path information can be broken on ajp-listener A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.	CVE-2024-6162 GHSA-9442-gm4v-r222

Vulnerability

Summary

Aliases

VCID-df16-86dz-nfc9

Undertow's url-encoded request path information can be broken on ajp-listener A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

CVE-2024-6162
GHSA-9442-gm4v-r222

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:39:47.489378+00:00	GitLab Importer	Affected by	VCID-ns3p-22xg-q3bz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2025-9784.yml	38.4.0
2026-04-16T23:06:31.909957+00:00	GitLab Importer	Affected by	VCID-xme8-usmd-vqg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-7885.yml	38.4.0
2026-04-16T23:02:54.643446+00:00	GitLab Importer	Fixing	VCID-df16-86dz-nfc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-6162.yml	38.4.0
2026-04-16T22:45:20.465028+00:00	GitLab Importer	Affected by	VCID-5585-a76n-zubf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2023-5379.yml	38.4.0
2026-04-12T01:00:31.732124+00:00	GitLab Importer	Affected by	VCID-ns3p-22xg-q3bz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2025-9784.yml	38.3.0
2026-04-12T00:24:32.371371+00:00	GitLab Importer	Affected by	VCID-xme8-usmd-vqg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-7885.yml	38.3.0
2026-04-12T00:20:43.908702+00:00	GitLab Importer	Fixing	VCID-df16-86dz-nfc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-6162.yml	38.3.0
2026-04-12T00:04:58.527207+00:00	GitLab Importer	Affected by	VCID-5585-a76n-zubf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2023-5379.yml	38.3.0
2026-04-03T01:08:43.438443+00:00	GitLab Importer	Affected by	VCID-ns3p-22xg-q3bz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2025-9784.yml	38.1.0
2026-04-03T00:32:07.995339+00:00	GitLab Importer	Affected by	VCID-xme8-usmd-vqg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-7885.yml	38.1.0
2026-04-03T00:28:16.870736+00:00	GitLab Importer	Fixing	VCID-df16-86dz-nfc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-6162.yml	38.1.0
2026-04-03T00:09:39.689432+00:00	GitLab Importer	Affected by	VCID-5585-a76n-zubf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2023-5379.yml	38.1.0
2026-04-02T12:39:38.290874+00:00	GitLab Importer	Fixing	VCID-df16-86dz-nfc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-6162.yml	38.0.0
2026-04-01T16:05:53.102970+00:00	GHSA Importer	Fixing	VCID-df16-86dz-nfc9	https://github.com/advisories/GHSA-9442-gm4v-r222	38.0.0
2026-04-01T12:51:38.092229+00:00	GithubOSV Importer	Fixing	VCID-df16-86dz-nfc9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-9442-gm4v-r222/GHSA-9442-gm4v-r222.json	38.0.0