High severity7.5GHSA Advisory· Published Dec 3, 2025· Updated Apr 15, 2026
CVE-2024-3884
CVE-2024-3884
Description
A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | < 2.2.39.Final | 2.2.39.Final |
io.undertow:undertow-coreMaven | >= 2.4.0.Alpha1, < 2.4.0.Beta1 | 2.4.0.Beta1 |
io.undertow:undertow-coreMaven | >= 2.3.0.Alpha1, < 2.3.21.Final | 2.3.21.Final |
Affected products
6- Range: >= 2.3.0.Alpha1, < 2.3.21.Final
- osv-coords5 versionspkg:apk/chainguard/wildfly-openjdk-17pkg:apk/chainguard/wildfly-openjdk-21pkg:apk/wolfi/wildfly-openjdk-17pkg:apk/wolfi/wildfly-openjdk-21pkg:maven/io.undertow/undertow-core
< 39.0.0-r0+ 4 more
- (no CPE)range: < 39.0.0-r0
- (no CPE)range: < 39.0.0-r0
- (no CPE)range: < 39.0.0-r0
- (no CPE)range: < 39.0.0-r0
- (no CPE)range: < 2.2.39.Final
Patches
Vulnerability mechanics
References
29- github.com/advisories/GHSA-6h4f-pj3g-q8fqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-3884ghsaADVISORY
- access.redhat.com/errata/RHSA-2025:22773ghsaWEB
- access.redhat.com/errata/RHSA-2025:22775ghsaWEB
- access.redhat.com/errata/RHSA-2025:22777ghsaWEB
- access.redhat.com/errata/RHSA-2025:3990ghsaWEB
- access.redhat.com/errata/RHSA-2025:3992ghsaWEB
- access.redhat.com/errata/RHSA-2026:0383nvdWEB
- access.redhat.com/errata/RHSA-2026:0384nvdWEB
- access.redhat.com/errata/RHSA-2026:0386nvdWEB
- access.redhat.com/errata/RHSA-2026:3889nvdWEB
- access.redhat.com/errata/RHSA-2026:3891nvdWEB
- access.redhat.com/errata/RHSA-2026:3892nvdWEB
- access.redhat.com/errata/RHSA-2026:4915nvdWEB
- access.redhat.com/errata/RHSA-2026:4916nvdWEB
- access.redhat.com/errata/RHSA-2026:4917nvdWEB
- access.redhat.com/errata/RHSA-2026:4924nvdWEB
- access.redhat.com/errata/RHSA-2026:6011nvdWEB
- access.redhat.com/errata/RHSA-2026:6012nvdWEB
- access.redhat.com/security/cve/CVE-2024-3884nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/undertow-io/undertow/commit/cb854c779b9e2368c3c274ebd7217c8e75d505beghsaWEB
- github.com/undertow-io/undertow/pull/1856ghsaWEB
- github.com/undertow-io/undertow/pull/1860ghsaWEB
- github.com/undertow-io/undertow/pull/1882ghsaWEB
- github.com/undertow-io/undertow/pull/1894ghsaWEB
- github.com/undertow-io/undertow/releases/tag/2.2.39.FinalghsaWEB
- github.com/undertow-io/undertow/releases/tag/2.3.21.FinalghsaWEB
- github.com/undertow-io/undertow/releases/tag/2.4.0.Beta1ghsaWEB
News mentions
0No linked articles in our index yet.