VYPR
Get started
← All advisories
High severity7.5NVD Advisory· Published Jun 20, 2024· Updated Apr 15, 2026

CVE-2024-6162

CVE-2024-6162

Description

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.undertow:undertow-coreMaven
>= 2.3.0.Alpha1, < 2.3.14.Final2.3.14.Final
io.undertow:undertow-coreMaven
< 2.2.33.Final2.2.33.Final

Patches

2
90f202ada89b

[UNDERTOW-2334] CVE-2024-6162 AJP Parser: Do not share the decodeBuffer StringBuilder instance between requests

https://github.com/undertow-io/undertowTomas HofmanNov 16, 2023via ghsa
commit
1 file changed · +1 4
  • core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParser.java+1 4 modified
    @@ -77,7 +77,6 @@ public class AjpRequestParser {
     private final boolean slashDecodingFlag;
     private final int maxParameters;
     private final int maxHeaders;
-    private StringBuilder decodeBuffer;
     private final boolean allowUnescapedCharactersInUrl;
     private final Pattern allowedRequestAttributesPattern;
 
@@ -509,9 +508,7 @@ public void parse(final ByteBuffer buf, final AjpRequestParseState state, final
     private String decode(String url, final boolean containsUrlCharacters) throws UnsupportedEncodingException {
         if (doDecode && containsUrlCharacters) {
             try {
-                if(decodeBuffer == null) {
-                    decodeBuffer = new StringBuilder();
-                }
+                final StringBuilder decodeBuffer = new StringBuilder();
                 return URLUtils.decode(url, this.encoding, slashDecodingFlag, false, decodeBuffer);
             } catch (Exception e) {
                 throw UndertowMessages.MESSAGES.failedToDecodeURL(url, encoding, e);
a28ac53076e2

[UNDERTOW-2334] CVE-2024-6162 AJP Parser: Do not share the decodeBuffer StringBuilder instance between requests

https://github.com/undertow-io/undertowTomas HofmanNov 16, 2023via ghsa
commit
1 file changed · +1 4
  • core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParser.java+1 4 modified
    @@ -77,7 +77,6 @@ public class AjpRequestParser {
     private final boolean slashDecodingFlag;
     private final int maxParameters;
     private final int maxHeaders;
-    private StringBuilder decodeBuffer;
     private final boolean allowUnescapedCharactersInUrl;
     private final Pattern allowedRequestAttributesPattern;
 
@@ -509,9 +508,7 @@ public void parse(final ByteBuffer buf, final AjpRequestParseState state, final
     private String decode(String url, final boolean containsUrlCharacters) throws UnsupportedEncodingException {
         if (doDecode && containsUrlCharacters) {
             try {
-                if(decodeBuffer == null) {
-                    decodeBuffer = new StringBuilder();
-                }
+                final StringBuilder decodeBuffer = new StringBuilder();
                 return URLUtils.decode(url, this.encoding, slashDecodingFlag, false, decodeBuffer);
             } catch (Exception e) {
                 throw UndertowMessages.MESSAGES.failedToDecodeURL(url, encoding, e);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

16

News mentions

0

No linked articles in our index yet.