Skip to content

Update dependency io.undertow:undertow-core to v2.4.0.Final [SECURITY]#227

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/undertow.version
Open

Update dependency io.undertow:undertow-core to v2.4.0.Final [SECURITY]#227
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/undertow.version

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 6, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
io.undertow:undertow-core (source) 2.3.20.Final2.4.0.Final age confidence

Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests

CVE-2025-12543 / GHSA-j382-5jj3-vw4j

More information

Details

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests. As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

Severity

  • CVSS Score: 9.6 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Undertow OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded

CVE-2024-3884 / GHSA-6h4f-pj3g-q8fq

More information

Details

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Undertow Servlets Vulnerable to Remote DoS via OutOfMemoryError when Passed Large Parameter Names

CVE-2024-4027 / GHSA-33hj-rcmx-86mv

More information

Details

A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests

CVE-2026-3260 / GHSA-3x3v-w654-m28m

More information

Details

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap(), the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

undertow-io/undertow (io.undertow:undertow-core)

v2.4.0.Final

Compare Source

v2.3.24.Final

Compare Source

v2.3.23.Final: v.2.3.23.Final

Compare Source

Release 2.3.23.Final
Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.3.23.Final

Bug

  • [UNDERTOW-2192] - session.getServletContext returns wrong context with shared-session-config
  • [UNDERTOW-2663] - Unclear Error Message When Max Session Limit is Exceeded
  • [UNDERTOW-2677] - MultipartParserDefinition overrides max entity size already set and configured from other sources

Task

Clarification

  • [UNDERTOW-2690] - Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior

v2.3.22.Final: v.2.3.22.Final

Compare Source

Release 2.3.22.Final
Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.3.22.Final

Bug

  • [UNDERTOW-2676] - Do not set merged query parameters for includes and forwards on the exchange, only the request
  • [UNDERTOW-2681] - TCCL when invoking annotated websocket endpoint methods doesn&#​39;t expose deployment classes

v2.3.21.Final

Compare Source

Release 2.3.21.Final fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543
Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.3.21.Final

Sub-task

  • [UNDERTOW-2490] - Improve the documentation of UndertowOptions.HTTP_HEADERS_CACHE_SIZE / DEFAULT_HTTP_HEADERS_CACHE_SIZE

Feature Request

  • [UNDERTOW-2580] - Support SameSite and custom cookie attributes

Bug

  • [UNDERTOW-1359] - HTTP2 - java.lang.IllegalStateException: UT000091: Buffer has already been freed
  • [UNDERTOW-1561] - ServletContext.getResourcePaths() omits Resources that are not available directly on the file system
  • [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
  • [UNDERTOW-2165] - READ_TIMEOUT is not taken into account in HTTP2 listener
  • [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
  • [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
  • [UNDERTOW-2421] - ServletSessionConfig is missing support for arbitrary cookie attributes
  • [UNDERTOW-2534] - ClassLoader of deployed websockets application leaks to XnioWorker
  • [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
  • [UNDERTOW-2591] - SSEHandler header Connection is set to close
  • [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
  • [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
  • [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
  • [UNDERTOW-2662] - Quoted cookie versions cannot be parsed correctly
  • [UNDERTOW-2668] - ServletRelativePathAttribute switch to %U from %R and return absolute path
  • [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
  • [UNDERTOW-2675] - Make Undertow compatible with RFC6265

Task

Component Upgrade

Enhancement

  • [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
  • [UNDERTOW-2638] - Process all buffers in ChunkedStreamSinkConduit.write(ByteBuffer[], int, int)
  • [UNDERTOW-2643] - At ServletOutputStreamImpl.close remove the conversion of int to String

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated dependencies maintenance renovate security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants