Skip to main content

Undertow

23 CVEs product

Monthly

CVE-2025-12543 Maven CRITICAL PATCH Act Now

Undertow HTTP server (used in WildFly, JBoss EAP) fails to validate Host headers, enabling cache poisoning, internal network scanning, and session hijacking. Affects a widely-used Java application server component.

Java Information Disclosure Process Automation Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Application Platform +5
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-9784 Maven HIGH PATCH GHSA This Week

Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware products, contains a vulnerability that allows attackers to trigger server-side HTTP/2 stream resets without incrementing abuse counters. This 'MadeYouReset' attack enables remote unauthenticated attackers to cause denial of service by repeatedly forcing the server to abort streams and perform unnecessary cleanup work. With an EPSS score of 1.17% (78th percentile), exploitation probability is moderate but rising, and patches have been released across multiple Red Hat product lines as of early 2025.

Denial Of Service Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Application Platform Fuse Single Sign On +4
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2024-1459 Maven MEDIUM PATCH This Month

A path traversal vulnerability was found in Undertow. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Undertow
NVD
CVSS 3.1
5.3
EPSS
1.7%
CVE-2023-5379 HIGH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jboss Enterprise Application Platform Single Sign On Undertow
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-3223 Maven HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Undertow Openshift Container Platform Openshift Container Platform For Ibm Linuxone Openshift Container Platform For Power +3
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2023-1108 Maven HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Decision Manager Fuse Integration Camel K +12
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2022-2764 MEDIUM This Month

A flaw was found in Undertow. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Integration Camel K Jboss Enterprise Application Platform Jboss Fuse Single Sign On +5
NVD
CVSS 3.1
4.9
EPSS
0.8%
CVE-2022-1319 HIGH PATCH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Openshift Application Runtimes Single Sign On Undertow Active Iq Unified Manager +3
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2022-1259 HIGH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Integration Camel K Jboss Enterprise Application Platform Openshift Application Runtimes +6
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-2053 Maven HIGH PATCH This Week

When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Integration Camel K Jboss Fuse Undertow
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-20220 Maven MEDIUM PATCH This Month

A flaw was found in Undertow. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Request Smuggling XSS Undertow Active Iq Unified Manager Oncommand Workflow Automation
NVD
CVSS 3.1
4.8
EPSS
1.1%
CVE-2020-10687 Maven MEDIUM PATCH This Month

A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS Request Smuggling Undertow Jboss Enterprise Application Platform Single Sign On
NVD
CVSS 3.1
4.8
EPSS
1.1%
CVE-2020-10705 Maven HIGH PATCH This Week

A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Undertow Oncommand Insight Jboss Enterprise Application Platform Openshift Application Runtimes
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-10719 Maven MEDIUM PATCH This Month

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Undertow Oncommand Insight Fuse +5
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2020-1745 Maven CRITICAL PATCH Act Now

A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Authentication Bypass Undertow
NVD
CVSS 3.1
9.8
EPSS
4.8%
CVE-2020-1757 Maven HIGH PATCH This Week

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Undertow Jboss Data Grid Jboss Enterprise Application Platform Jboss Fuse +2
NVD
CVSS 3.1
8.1
EPSS
1.6%
CVE-2019-10212 Maven CRITICAL PATCH Act Now

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Undertow Jboss Data Grid Jboss Enterprise Application Platform Jboss Fuse +3
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2019-10184 Maven HIGH PATCH This Week

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Undertow Jboss Data Grid Jboss Enterprise Application Platform Openshift Application Runtimes +2
NVD GitHub
CVSS 3.1
7.5
EPSS
3.5%
CVE-2019-3888 Maven CRITICAL PATCH Act Now

A vulnerability was found in Undertow web server before 2.0.21. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Undertow Virtualization Virtualization Host +3
NVD
CVSS 3.1
9.8
EPSS
3.4%
CVE-2018-14642 Maven MEDIUM PATCH This Month

An information leak vulnerability was found in Undertow. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Undertow Jboss Enterprise Application Platform
NVD
CVSS 3.1
5.3
EPSS
2.1%
CVE-2018-1114 Maven MEDIUM PATCH This Month

It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Undertow Virtualization Virtualization Host
NVD
CVSS 3.0
6.5
EPSS
2.3%
CVE-2018-1067 Maven MEDIUM PATCH This Month

In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Undertow Jboss Enterprise Application Platform Virtualization Host
NVD
CVSS 3.1
6.1
EPSS
1.8%
CVE-2014-7816 Maven MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 55.2%.

Path Traversal Microsoft Undertow
NVD
CVSS 2.0
5.0
EPSS
55.2%
Threat
4.2
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Undertow HTTP server (used in WildFly, JBoss EAP) fails to validate Host headers, enabling cache poisoning, internal network scanning, and session hijacking. Affects a widely-used Java application server component.

Java Information Disclosure Process Automation +7
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware products, contains a vulnerability that allows attackers to trigger server-side HTTP/2 stream resets without incrementing abuse counters. This 'MadeYouReset' attack enables remote unauthenticated attackers to cause denial of service by repeatedly forcing the server to abort streams and perform unnecessary cleanup work. With an EPSS score of 1.17% (78th percentile), exploitation probability is moderate but rising, and patches have been released across multiple Red Hat product lines as of early 2025.

Denial Of Service Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Application Platform +6
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

A path traversal vulnerability was found in Undertow. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Undertow
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jboss Enterprise Application Platform Single Sign On +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Undertow Openshift Container Platform +5
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Decision Manager +14
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM This Month

A flaw was found in Undertow. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Integration Camel K Jboss Enterprise Application Platform +7
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Openshift Application Runtimes Single Sign On +5
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Integration Camel K +8
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Integration Camel K Jboss Fuse +1
NVD
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

A flaw was found in Undertow. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Request Smuggling XSS Undertow +2
NVD
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS Request Smuggling Undertow +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Undertow Oncommand Insight +2
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Undertow +7
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Authentication Bypass Undertow
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Undertow Jboss Data Grid +4
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Undertow Jboss Data Grid +5
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Undertow Jboss Data Grid +4
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

A vulnerability was found in Undertow web server before 2.0.21. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Undertow +5
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

An information leak vulnerability was found in Undertow. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Undertow Jboss Enterprise Application Platform
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Undertow Virtualization +1
NVD
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Undertow Jboss Enterprise Application Platform +1
NVD
EPSS 55% 4.2 CVSS 5.0
MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 55.2%.

Path Traversal Microsoft Undertow
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy