VYPR

Undertow

by Red Hat

Source repositories

CVEs (19)

  • CVE-2026-28369HigMar 27, 2026
    risk 0.50cvss 8.7epss 0.01

    A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote…

  • CVE-2026-28368HigMar 27, 2026
    risk 0.50cvss 8.7epss 0.01

    A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request…

  • CVE-2026-28367HigMar 27, 2026
    risk 0.50cvss 8.7epss 0.01

    A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic…

  • CVE-2018-1114MedSep 11, 2018
    risk 0.42cvss 6.5epss 0.02

    It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.

  • CVE-2017-7559MedJan 10, 2018
    risk 0.40cvss 6.1epss 0.02

    In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction…

  • CVE-2026-3260MedMar 24, 2026
    risk 0.38cvss 5.9epss 0.00

    A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like `getParameterMap()`, the server prematurely parses and…

  • CVE-2018-14642MedSep 18, 2018
    risk 0.35cvss 5.3epss 0.02

    An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests.

  • CVE-2017-12165LowJul 27, 2018
    risk 0.10cvss 2.6epss 0.02

    It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.

  • CVE-2014-7816Dec 1, 2014
    risk 0.05cvss epss 0.25

    Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.

  • CVE-2023-5379Dec 12, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens…

  • CVE-2022-2764Sep 1, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.

  • CVE-2022-1259Aug 31, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.

  • CVE-2022-1319Aug 31, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in…

  • CVE-2019-19343Mar 23, 2021
    risk 0.00cvss epss 0.02

    A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting…

  • CVE-2020-10719May 26, 2020
    risk 0.00cvss epss 0.01

    A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.

  • CVE-2020-1757Apr 21, 2020
    risk 0.00cvss epss 0.02

    A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which…

  • CVE-2019-14888Jan 23, 2020
    risk 0.00cvss epss 0.02

    A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.

  • CVE-2019-10212Oct 2, 2019
    risk 0.00cvss epss 0.02

    A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.

  • CVE-2019-3888Jun 12, 2019
    risk 0.00cvss epss 0.03

    A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFaile…