VulnerableCode Package Details - pkg:maven/io.undertow/undertow-core@2.2.39.Final

Search for packages

Vulnerability	Summary	Fixed by
VCID-5585-a76n-zubf Aliases: CVE-2023-5379	Allocation of Resources Without Limits or Throttling A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS).	2.3.11.Final Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-5585-a76n-zubf
Aliases:
CVE-2023-5379

Allocation of Resources Without Limits or Throttling A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS).

2.3.11.Final
Affected by 4 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-huxp-ctsp-fqay	Undertow OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.	CVE-2024-3884 GHSA-6h4f-pj3g-q8fq
VCID-kk1t-t63f-rqg2	Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests. As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.	CVE-2025-12543 GHSA-j382-5jj3-vw4j
VCID-whcc-r17q-gffx	Undertow Servlets Vulnerable to Remote DoS via OutOfMemoryError when Passed Large Parameter Names A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.	CVE-2024-4027 GHSA-33hj-rcmx-86mv

Vulnerability

Summary

Aliases

VCID-huxp-ctsp-fqay

Undertow OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.

CVE-2024-3884
GHSA-6h4f-pj3g-q8fq

VCID-kk1t-t63f-rqg2

Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests. As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

CVE-2025-12543
GHSA-j382-5jj3-vw4j

VCID-whcc-r17q-gffx

Undertow Servlets Vulnerable to Remote DoS via OutOfMemoryError when Passed Large Parameter Names A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.

CVE-2024-4027
GHSA-33hj-rcmx-86mv

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:13:49.108955+00:00	GitLab Importer	Fixing	VCID-whcc-r17q-gffx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-4027.yml	38.4.0
2026-04-17T00:06:19.699654+00:00	GitLab Importer	Fixing	VCID-kk1t-t63f-rqg2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2025-12543.yml	38.4.0
2026-04-17T00:01:41.684017+00:00	GitLab Importer	Fixing	VCID-huxp-ctsp-fqay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-3884.yml	38.4.0
2026-04-16T22:45:20.487601+00:00	GitLab Importer	Affected by	VCID-5585-a76n-zubf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2023-5379.yml	38.4.0
2026-04-12T01:37:43.551587+00:00	GitLab Importer	Fixing	VCID-whcc-r17q-gffx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-4027.yml	38.3.0
2026-04-12T01:29:40.792190+00:00	GitLab Importer	Fixing	VCID-kk1t-t63f-rqg2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2025-12543.yml	38.3.0
2026-04-12T01:24:39.324764+00:00	GitLab Importer	Fixing	VCID-huxp-ctsp-fqay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-3884.yml	38.3.0
2026-04-12T00:04:58.549278+00:00	GitLab Importer	Affected by	VCID-5585-a76n-zubf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2023-5379.yml	38.3.0
2026-04-03T01:46:40.900411+00:00	GitLab Importer	Fixing	VCID-whcc-r17q-gffx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-4027.yml	38.1.0
2026-04-03T01:38:25.186620+00:00	GitLab Importer	Fixing	VCID-kk1t-t63f-rqg2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2025-12543.yml	38.1.0
2026-04-03T01:33:16.745492+00:00	GitLab Importer	Fixing	VCID-huxp-ctsp-fqay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-3884.yml	38.1.0
2026-04-03T00:09:39.713231+00:00	GitLab Importer	Affected by	VCID-5585-a76n-zubf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2023-5379.yml	38.1.0
2026-04-01T16:07:51.919465+00:00	GHSA Importer	Fixing	VCID-whcc-r17q-gffx	https://github.com/advisories/GHSA-33hj-rcmx-86mv	38.0.0
2026-04-01T16:07:30.163541+00:00	GHSA Importer	Fixing	VCID-kk1t-t63f-rqg2	https://github.com/advisories/GHSA-j382-5jj3-vw4j	38.0.0
2026-04-01T16:07:16.341921+00:00	GHSA Importer	Fixing	VCID-huxp-ctsp-fqay	https://github.com/advisories/GHSA-6h4f-pj3g-q8fq	38.0.0
2026-04-01T12:55:32.306885+00:00	GithubOSV Importer	Fixing	VCID-huxp-ctsp-fqay	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-6h4f-pj3g-q8fq/GHSA-6h4f-pj3g-q8fq.json	38.0.0
2026-04-01T12:53:45.486141+00:00	GitLab Importer	Fixing	VCID-whcc-r17q-gffx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-4027.yml	38.0.0
2026-04-01T12:53:37.088807+00:00	GitLab Importer	Fixing	VCID-kk1t-t63f-rqg2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2025-12543.yml	38.0.0
2026-04-01T12:53:28.290915+00:00	GitLab Importer	Fixing	VCID-huxp-ctsp-fqay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2024-3884.yml	38.0.0
2026-04-01T12:52:25.778182+00:00	GithubOSV Importer	Fixing	VCID-kk1t-t63f-rqg2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-j382-5jj3-vw4j/GHSA-j382-5jj3-vw4j.json	38.0.0
2026-04-01T12:52:21.666799+00:00	GithubOSV Importer	Fixing	VCID-whcc-r17q-gffx	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-33hj-rcmx-86mv/GHSA-33hj-rcmx-86mv.json	38.0.0