Redhat Undertow vulnerabilities

CVE-2025-12543 [CRITICAL] CWE-20 CVE-2025-12543: A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Ja A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perf

CVE-2025-9784 [HIGH] CVE-2025-9784: A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this hi

CVE-2023-4639 [HIGH] CVE-2023-4639: A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat

CVE-2023-1973 [HIGH] CVE-2023-1973: A flaw was found in Undertow package A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending crafted requests, leading the server to an OutofMemory error, exhausting the server's memory.

CVE-2024-7885 [HIGH] CVE-2024-7885: A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance,

CVE-2024-5971 [HIGH] CVE-2024-5971: A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack.

CVE-2024-3653 [MEDIUM] CVE-2024-3653: A vulnerability was found in Undertow A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.

CVE-2024-1635 [HIGH] CVE-2024-1635: A vulnerability was found in Undertow A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTime

CVE-2024-1459 [MEDIUM] CVE-2024-1459: A path traversal vulnerability was found in Undertow A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.

CVE-2023-5379 [HIGH] CVE-2023-5379: A flaw was found in Undertow A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request witho

CVE-2023-3223 [HIGH] CWE-789 CVE-2023-3223: A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to nu

CVE-2023-1108 [HIGH] CWE-835 CVE-2023-1108: A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unex A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

CVE-2022-4492 [HIGH] CWE-918 CVE-2022-4492: The undertow client is not checking the server identity presented by the server certificate in https The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

CVE-2022-2764 [MEDIUM] CWE-400 CVE-2022-2764: A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAS A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.

CVE-2022-1259 [HIGH] CVE-2022-1259: A flaw was found in Undertow. A potential security issue in flow control handling by the browser ove A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.

CVE-2022-1319 [HIGH] CWE-252 CVE-2022-1319: A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response pack A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.

CVE-2021-3859 [HIGH] CWE-214 CVE-2021-3859: A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

CVE-2021-3690 [HIGH] CWE-400 CVE-2021-3690: A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memor A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.

CVE-2022-2053 [HIGH] CWE-400 CVE-2022-2053: When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward re

CVE-2021-3629 [MEDIUM] CWE-400 CVE-2021-3629: A flaw was found in Undertow. A potential security issue in flow control handling by the browser ove A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.