VYPR

Undertow

by Undertow Io

Source repositories

CVEs (11)

  • CVE-2024-3884HigDec 3, 2025
    risk 0.42cvss 7.5epss 0.01

    A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory…

  • CVE-2023-1973HigNov 7, 2024
    risk 0.42cvss 7.5epss 0.01

    A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending crafted requests, leading the server to an OutofMemory error, exhausting the server's memory.

  • CVE-2024-5971HigJul 8, 2024
    risk 0.42cvss 7.5epss 0.03

    A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in…

  • CVE-2024-6162HigJun 20, 2024
    risk 0.42cvss 7.5epss 0.02

    A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path…

  • CVE-2023-4639HigNov 17, 2024
    risk 0.41cvss 7.4epss 0.01

    A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading…

  • CVE-2024-3653MedJul 8, 2024
    risk 0.28cvss 5.3epss 0.02

    A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites…

  • CVE-2025-12543Jan 7, 2026
    risk 0.00cvss epss 0.01

    A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are…

  • CVE-2025-9784Sep 2, 2025
    risk 0.00cvss epss 0.02

    A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing…

  • CVE-2024-7885Aug 21, 2024
    risk 0.00cvss epss 0.03

    A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different…

  • CVE-2020-1745Apr 28, 2020
    risk 0.00cvss epss 0.05

    A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web…

  • CVE-2019-10184Jul 25, 2019
    risk 0.00cvss epss 0.03

    undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.