Search for packages
| purl | pkg:maven/io.undertow/undertow-core@2.3.0.Alpha1 |
| Next non-vulnerable version | 2.3.20.Final |
| Latest non-vulnerable version | 2.4.0.Beta1 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1vrj-chs2-d3ab
Aliases: CVE-2023-1973 GHSA-97cq-f4jm-mv8h |
Undertow Denial of Service vulnerability A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending crafted requests, leading the server to an OutofMemory error, exhausting the server's memory. |
Affected by 2 other vulnerabilities. |
|
VCID-2cv5-9v62-kfbm
Aliases: CVE-2024-1459 GHSA-v76w-3ph8-vm66 |
Undertow Path Traversal vulnerability A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories. |
Affected by 3 other vulnerabilities. |
|
VCID-5585-a76n-zubf
Aliases: CVE-2023-5379 |
Allocation of Resources Without Limits or Throttling A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS). |
Affected by 4 other vulnerabilities. |
|
VCID-brsa-ygcs-wudx
Aliases: CVE-2024-5971 GHSA-xpp6-8r3j-ww43 |
Undertow Denial of Service vulnerability A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected `0\r\n` termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios. |
Affected by 2 other vulnerabilities. |
|
VCID-bsd5-k44s-buhu
Aliases: CVE-2024-3653 GHSA-ch7q-gpff-h9hp |
Undertow Missing Release of Memory after Effective Lifetime vulnerability A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request. |
Affected by 2 other vulnerabilities. |
|
VCID-d3ty-z2dg-vka1
Aliases: CVE-2023-4639 GHSA-3jrv-jgp8-45v3 |
Undertow incorrectly parses cookies A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity. |
Affected by 4 other vulnerabilities. |
|
VCID-df16-86dz-nfc9
Aliases: CVE-2024-6162 GHSA-9442-gm4v-r222 |
Undertow's url-encoded request path information can be broken on ajp-listener A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up. |
Affected by 2 other vulnerabilities. |
|
VCID-huxp-ctsp-fqay
Aliases: CVE-2024-3884 GHSA-6h4f-pj3g-q8fq |
Undertow OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-kk1t-t63f-rqg2
Aliases: CVE-2025-12543 GHSA-j382-5jj3-vw4j |
Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests. As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions. |
Affected by 0 other vulnerabilities. |
|
VCID-ns3p-22xg-q3bz
Aliases: CVE-2025-9784 GHSA-95h4-w6j8-2rp8 |
Undertow MadeYouReset HTTP/2 DDoS Vulnerability A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS). |
Affected by 0 other vulnerabilities. |
|
VCID-whcc-r17q-gffx
Aliases: CVE-2024-4027 GHSA-33hj-rcmx-86mv |
Undertow Servlets Vulnerable to Remote DoS via OutOfMemoryError when Passed Large Parameter Names A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xftw-raz7-b7e1
Aliases: CVE-2022-2053 GHSA-95rf-557x-44g5 |
Undertow vulnerable to Dos via Large AJP request When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in "All workers are in error state" and mod_cluster responds "503 Service Unavailable" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the "retry" timeout passes. However, luckily, mod_proxy_balancer has "forcerecovery" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding "503 Service Unavailable". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-xme8-usmd-vqg3
Aliases: CVE-2024-7885 GHSA-9623-mqmm-5rcf |
Undertow vulnerable to Race Condition A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||