io.undertow:undertow-core (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package io.undertow:undertow-core, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (39)
CVE-2019-3888 — CVSS 9.8 (critical): A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because…
CVE-2019-10212 — CVSS 9.8 (critical): A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this…
CVE-2025-12543 — CVSS 9.6 (critical): A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library…
CVE-2020-1745 — CVSS 8.6 (high): A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version…
CVE-2020-1757 — CVSS 8.1 (high): A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to…
CVE-2024-4027 — CVSS 7.5 (high): A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError…
CVE-2025-9784 — CVSS 7.5 (high): A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This…
CVE-2017-2670 — CVSS 7.5 (high): It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread…
CVE-2020-27782 — CVSS 7.5 (high): A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using…
CVE-2024-6162 — CVSS 7.5 (high): A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener…
CVE-2021-3690 — CVSS 7.5 (high): A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an…
CVE-2021-3859 — CVSS 7.5 (high): A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an…
CVE-2022-2053 — CVSS 7.5 (high): When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit…
CVE-2022-4492 — CVSS 7.5 (high): The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step…
CVE-2023-1108 — CVSS 7.5 (high): A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in…
CVE-2023-1973 — CVSS 7.5 (high): A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending…
CVE-2024-1635 — CVSS 7.5 (high): A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a…
CVE-2024-3884 — CVSS 7.5 (high): A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(Str…
CVE-2024-5971 — CVSS 7.5 (high): A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent…
CVE-2019-14888 — CVSS 7.5 (high): A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the…
CVE-2024-7885 — CVSS 7.5 (high): A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests…
CVE-2020-10705 — CVSS 7.5 (high): A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may…
CVE-2023-4639 — CVSS 7.4 (high): A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue…
CVE-2020-10719 — CVSS 6.5 (medium): A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This…
CVE-2017-2666 — CVSS 6.5 (medium): It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in…
CVE-2018-1114 — CVSS 6.5 (medium): It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file…
CVE-2017-7559 — CVSS 6.1 (medium): In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666…
CVE-2021-3629 — CVSS 5.9 (medium): A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead…
CVE-2021-3597 — CVSS 5.9 (medium): A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of…
CVE-2016-7046 — CVSS 5.9 (medium): Red Hat JBoss Enterprise Application Platform (EAP) 7, when operating as a reverse-proxy with default buffer sizes, allows remote attackers…
CVE-2024-3653 — CVSS 5.3 (medium): A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by…
CVE-2024-1459 — CVSS 5.3 (medium): A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an…
CVE-2018-14642 — CVSS 5.3 (medium): An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that…
CVE-2014-7816 — CVSS 5.0 (medium): Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running…
CVE-2021-20220 — CVSS 4.8 (medium): A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is…
CVE-2020-10687 — CVSS 4.8 (medium): A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is…
CVE-2017-12196 — CVSS 4.8 (medium): undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not…
CVE-2017-12165 — CVSS 2.6 (low): It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause…
CVE-2026-3260: Rejected reason: The Undertow web server enforces a default maximum HTTP request entity size limit. Any request (including GET or HEAD)…