Every CVE whose affected-product data names Redhat Undertow, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (39)
CVE-2019-10212 — CVSS 9.8 (critical): A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this…
CVE-2019-3888 — CVSS 9.8 (critical): A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because…
CVE-2025-12543 — CVSS 9.6 (critical): A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library…
CVE-2026-28369 — CVSS 8.7 (high): A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it…
CVE-2026-28368 — CVSS 8.7 (high): A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are…
CVE-2026-28367 — CVSS 8.7 (high): A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can…
CVE-2020-1745 — CVSS 8.6 (high): A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version…
CVE-2020-1757 — CVSS 8.1 (high): A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to…
CVE-2020-27782 — CVSS 7.5 (high): A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using…
CVE-2017-2670 — CVSS 7.5 (high): It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread…
CVE-2019-10184 — CVSS 7.5 (high): undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted…
CVE-2019-14888 — CVSS 7.5 (high): A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the…
CVE-2019-19343 — CVSS 7.5 (high): A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener…
CVE-2020-10705 — CVSS 7.5 (high): A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may…
CVE-2021-3690 — CVSS 7.5 (high): A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an…
CVE-2021-3859 — CVSS 7.5 (high): A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an…
CVE-2022-1259 — CVSS 7.5 (high): A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial…
CVE-2022-1319 — CVSS 7.5 (high): A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse…
CVE-2022-2053 — CVSS 7.5 (high): When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit…
CVE-2022-4492 — CVSS 7.5 (high): The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step…
CVE-2023-1108 — CVSS 7.5 (high): A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in…
CVE-2023-3223 — CVSS 7.5 (high): A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This…
CVE-2023-5379 — CVSS 7.5 (high): A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked…
CVE-2025-9784 — CVSS 7.5 (high): A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This…
CVE-2020-10719 — CVSS 6.5 (medium): A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This…
CVE-2017-2666 — CVSS 6.5 (medium): It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in…
CVE-2018-1114 — CVSS 6.5 (medium): It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file…
CVE-2017-7559 — CVSS 6.1 (medium): In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666…
CVE-2018-1067 — CVSS 6.1 (medium): In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is…
CVE-2021-3597 — CVSS 5.9 (medium): A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of…
CVE-2021-3629 — CVSS 5.9 (medium): A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead…
CVE-2018-14642 — CVSS 5.3 (medium): An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that…
CVE-2024-1459 — CVSS 5.3 (medium): A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an…
CVE-2014-7816 — CVSS 5.0 (medium): Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running…
CVE-2022-2764 — CVSS 4.9 (medium): A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.
CVE-2020-10687 — CVSS 4.8 (medium): A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is…
CVE-2021-20220 — CVSS 4.8 (medium): A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is…
CVE-2017-12196 — CVSS 4.8 (medium): undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not…
CVE-2017-12165 — CVSS 2.6 (low): It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause…