Io.undertow:undertow-core

This hub aggregates every CVE we track for Io.undertow:undertow-core, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Io.undertow:undertow-core.

• CVE-2024-4027Undertow: outofmemoryerror in httpservletrequestimpl.getparameternames() can cause remote dos attacks7.5Jan 30, 2026
• CVE-2025-12543Undertow-core: undertow http server fails to reject malformed host headers leading to potential cache poisoning and ssrf9.6Jan 7, 2026
• CVE-2024-3884Undertow: outofmemory when parsing form data encoding with application/x-www-form-urlencoded7.5Dec 3, 2025
• CVE-2025-9784Undertow: undertow madeyoureset http/2 ddos vulnerability7.5Sep 2, 2025
• CVE-2023-4639Undertow: cookie smuggling/spoofing7.4Nov 17, 2024
• CVE-2023-1973Undertow: unrestricted request storage leads to memory exhaustion7.5Nov 7, 2024
• CVE-2024-7885Undertow: improper state management in proxy protocol parsing causes information leakage7.5Aug 21, 2024
• CVE-2024-3653Undertow: learningpushhandler can lead to remote memory dos attacks5.3Jul 8, 2024
• CVE-2024-5971Undertow: response write hangs in case of java 17 tlsv1.3 newsessionticket7.5Jul 8, 2024
• CVE-2024-6162Undertow: url-encoded request path information can be broken on ajp-listener7.5Jun 20, 2024
• CVE-2024-1635Undertow: out-of-memory error after several closed connections with wildfly-http-client protocol7.5Feb 19, 2024
• CVE-2024-1459Undertow: directory traversal vulnerability5.3Feb 12, 2024
• CVE-2023-1108Undertow: infinite loop in sslconduit during close7.5Sep 14, 2023
• CVE-2022-4492The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and...7.5Feb 23, 2023
• CVE-2021-3859A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.7.5Aug 26, 2022