Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-xftw-raz7-b7e1
Vulnerability ID VCID-xftw-raz7-b7e1
Aliases CVE-2022-2053
GHSA-95rf-557x-44g5
Summary Undertow vulnerable to Dos via Large AJP request When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in "All workers are in error state" and mod_cluster responds "503 Service Unavailable" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the "retry" timeout passes. However, luckily, mod_proxy_balancer has "forcerecovery" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding "503 Service Unavailable". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-400 Uncontrolled Resource Consumption
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2053.json
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
epss 0.00305 https://api.first.org/data/v1/epss?cve=CVE-2022-2053
cvssv3.1 7.5 https://bugzilla.redhat.com/show_bug.cgi?id=2095862&comment#0
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=2095862&comment#0
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-95rf-557x-44g5
cvssv3.1 7.5 https://github.com/undertow-io/undertow
generic_textual HIGH https://github.com/undertow-io/undertow
cvssv3.1 7.5 https://github.com/undertow-io/undertow/pull/1350
generic_textual HIGH https://github.com/undertow-io/undertow/pull/1350
cvssv3.1 7.5 https://issues.redhat.com/browse/UNDERTOW-2133
generic_textual HIGH https://issues.redhat.com/browse/UNDERTOW-2133
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-2053
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-2053
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2053.json
https://api.first.org/data/v1/epss?cve=CVE-2022-2053
https://bugzilla.redhat.com/show_bug.cgi?id=2095862&comment#0
https://github.com/undertow-io/undertow
https://github.com/undertow-io/undertow/pull/1350
https://issues.redhat.com/browse/UNDERTOW-2133
https://nvd.nist.gov/vuln/detail/CVE-2022-2053
2095862 https://bugzilla.redhat.com/show_bug.cgi?id=2095862
GHSA-95rf-557x-44g5 https://github.com/advisories/GHSA-95rf-557x-44g5
RHSA-2022:6821 https://access.redhat.com/errata/RHSA-2022:6821
RHSA-2022:6822 https://access.redhat.com/errata/RHSA-2022:6822
RHSA-2022:6823 https://access.redhat.com/errata/RHSA-2022:6823
RHSA-2022:6825 https://access.redhat.com/errata/RHSA-2022:6825
RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2053.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://bugzilla.redhat.com/show_bug.cgi?id=2095862&comment#0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/undertow-io/undertow
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/undertow-io/undertow/pull/1350
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://issues.redhat.com/browse/UNDERTOW-2133
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-2053
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.53682
EPSS Score 0.00305
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:06:38.916579+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-95rf-557x-44g5/GHSA-95rf-557x-44g5.json 38.0.0