Redhat Undertow vulnerabilities

CVE-2025-12543 [CRITICAL] CWE-20 CVE-2025-12543: A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Ja A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perf

CVE-2023-3223 [HIGH] CWE-789 CVE-2023-3223: A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to nu

CVE-2023-1108 [HIGH] CWE-835 CVE-2023-1108: A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unex A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

CVE-2022-4492 [HIGH] CWE-918 CVE-2022-4492: The undertow client is not checking the server identity presented by the server certificate in https The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

CVE-2022-2764 [MEDIUM] CWE-400 CVE-2022-2764: A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAS A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.

CVE-2022-1259 [HIGH] CVE-2022-1259: A flaw was found in Undertow. A potential security issue in flow control handling by the browser ove A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.

CVE-2022-1319 [HIGH] CWE-252 CVE-2022-1319: A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response pack A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.

CVE-2021-3859 [HIGH] CWE-214 CVE-2021-3859: A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

CVE-2021-3690 [HIGH] CWE-400 CVE-2021-3690: A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memor A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.

CVE-2022-2053 [HIGH] CWE-400 CVE-2022-2053: When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward re

CVE-2021-3629 [MEDIUM] CWE-400 CVE-2021-3629: A flaw was found in Undertow. A potential security issue in flow control handling by the browser ove A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.

CVE-2021-3597 [MEDIUM] CWE-362 CVE-2021-3597: A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circu A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior

CVE-2019-19343 [HIGH] CWE-400 CVE-2019-19343: A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2. A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are believed to be vulnerable.

CVE-2020-27782 [HIGH] CWE-400 CVE-2020-27782: A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes coul A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1.

CVE-2021-20220 [MEDIUM] CVE-2021-20220: A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smu A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than

CVE-2020-10687 [MEDIUM] CVE-2020-10687: A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request sm A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other tha

CVE-2020-10705 [HIGH] CWE-770 CVE-2020-10705: A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service.

CVE-2020-10719 [MEDIUM] CWE-444 CVE-2020-10719: A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTT A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.

CVE-2020-1745 [HIGH] CWE-285 CVE-2020-1745: A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configurati A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server

CVE-2020-1757 [HIGH] CWE-20 CVE-2020-1757: A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.