Redhat Undertow
40 CVEs affecting Redhat Undertow. Latest disclosed: 2026-03-27. Critical: 3, High: 21.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2019-10212 | Critical | 9.8 | 2019-10-02 | A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the… |
CVE-2019-3888 | Critical | 9.8 | 2019-06-12 | A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeR… |
CVE-2025-12543 | Critical | 9.6 | 2026-01-07 | A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly val… |
CVE-2026-28369 | High | 8.7 | 2026-03-27 | A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the r… |
CVE-2026-28368 | High | 8.7 | 2026-03-27 | A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by… |
CVE-2026-28367 | High | 8.7 | 2026-03-27 | A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request s… |
CVE-2020-1745 | High | 8.6 | 2020-04-28 | A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before… |
CVE-2020-1757 | High | 8.1 | 2020-04-21 | A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final… |
CVE-2025-9784 | High | 7.5 | 2025-09-02 | A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to a… |
CVE-2023-5379 | High | 7.5 | 2023-12-12 | A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by… |
CVE-2023-3223 | High | 7.5 | 2023-09-27 | A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorize… |
CVE-2023-1108 | High | 7.5 | 2023-09-14 | A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the lo… |
CVE-2022-4492 | High | 7.5 | 2023-02-23 | The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should… |
CVE-2022-1319 | High | 7.5 | 2022-08-31 | A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though… |
CVE-2022-1259 | High | 7.5 | 2022-08-31 | A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the s… |
CVE-2021-3859 | High | 7.5 | 2022-08-26 | A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out deni… |
CVE-2021-3690 | High | 7.5 | 2022-08-23 | A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denia… |
CVE-2022-2053 | High | 7.5 | 2022-08-05 | When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes… |
CVE-2019-19343 | High | 7.5 | 2021-03-23 | A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote… |
CVE-2020-27782 | High | 7.5 | 2021-02-23 | A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-… |