VYPR
← All advisories
High severityGHSA Advisory· Published Aug 21, 2024· Updated Jan 19, 2026

Undertow: improper state management in proxy protocol parsing causes information leakage

CVE-2024-7885

Description

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Undertow's ProxyProtocolReadListener reuses a StringBuilder across multiple HTTP requests, potentially leaking request data between connections; patched in Red Hat Enterprise Linux errata.

The vulnerability resides in Undertow's ProxyProtocolReadListener class, where the parseProxyProtocolV1 method reuses the same StringBuilder instance across multiple requests on the same HTTP connection [3]. This improper resource reuse can cause data from one request to persist and be inadvertently included in subsequent requests or responses [4]. Exploitation requires an attacker to send multiple requests over a single HTTP connection that uses the Proxy Protocol. By crafting specific sequences, the attacker may cause the shared StringBuilder to retain data from a previous request, which could then be reflected in a later response [3]. The vulnerability primarily manifests as errors and connection termination, but under certain conditions it can lead to unintended data exposure [4]. The impact of successful exploitation is information leakage, potentially exposing sensitive data from other requests handled on the same connection. Red Hat has released security updates (RHSA-2024:11023, RHSA-2026:0743, RHSA-2025:16667) to address this issue in Red Hat Enterprise Linux [1][2]. Users are advised to apply the appropriate patches to mitigate the risk [4].

References
  1. https://access.redhat.com/errata/RHSA-2026:0743
  2. https://access.redhat.com/errata/RHSA-2025:16667
  3. cve-details
  4. NVD - CVE-2024-7885

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.undertow:undertow-coreMaven
< 2.2.36.Final2.2.36.Final
io.undertow:undertow-coreMaven
>= 2.3.0.Alpha1, < 2.3.17.Final2.3.17.Final

Affected products

2

Patches

2
ce5182c37376

[UNDERTOW-2429] CVE-2024-7885 Fix ProxyProtocolReadListener leak between multiple threads

https://github.com/undertow-io/undertowbaranowbAug 19, 2024via ghsa
commit
1 file changed · +1 1
  • core/src/main/java/io/undertow/server/protocol/proxy/ProxyProtocolReadListener.java+1 1 modified
    @@ -56,7 +56,6 @@ class ProxyProtocolReadListener implements ChannelListener<StreamSourceChannel>
     private InetAddress destAddress;
     private int sourcePort = -1;
     private int destPort = -1;
-    private StringBuilder stringBuilder = new StringBuilder();
     private boolean carriageReturnSeen = false;
     private boolean parsingUnknown = false;
 
@@ -223,6 +222,7 @@ private void parseProxyProtocolV2(PooledByteBuffer buffer, AtomicBoolean freeBuf
     }
 
     private void parseProxyProtocolV1(PooledByteBuffer buffer, AtomicBoolean freeBuffer) throws Exception {
+        final StringBuilder stringBuilder = new StringBuilder();
         while (buffer.getBuffer().hasRemaining()) {
             char c = (char) buffer.getBuffer().get();
             if (byteCount < NAME.length) {
80c125e09068

[UNDERTOW-2429] CVE-2024-7885 Fix ProxyProtocolReadListener leak between multiple threads

https://github.com/undertow-io/undertowbaranowbAug 19, 2024via ghsa
commit
1 file changed · +1 1
  • core/src/main/java/io/undertow/server/protocol/proxy/ProxyProtocolReadListener.java+1 1 modified
    @@ -56,7 +56,6 @@ class ProxyProtocolReadListener implements ChannelListener<StreamSourceChannel>
     private InetAddress destAddress;
     private int sourcePort = -1;
     private int destPort = -1;
-    private StringBuilder stringBuilder = new StringBuilder();
     private boolean carriageReturnSeen = false;
     private boolean parsingUnknown = false;
 
@@ -223,6 +222,7 @@ private void parseProxyProtocolV2(PooledByteBuffer buffer, AtomicBoolean freeBuf
     }
 
     private void parseProxyProtocolV1(PooledByteBuffer buffer, AtomicBoolean freeBuffer) throws IOException {
+        final StringBuilder stringBuilder = new StringBuilder();
         while (buffer.getBuffer().hasRemaining()) {
             char c = (char) buffer.getBuffer().get();
             if (byteCount < NAME.length) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

18

News mentions

0

No linked articles in our index yet.