v.2.4.1.Final
Release 2.4.1.Final Full list of Jiras: view in Jira
# Release notes - Undertow - 2.4.1.Final
UNDERTOW-2763 As per RFC9112 reason-phrase is optional in HTTP 1.1 responses
UNDERTOW-2759 Enable testing in JDK25
UNDERTOW-2767 [2.4.x] UndertowMessages at core uses the wrong message id for fixes in new parser
v.2.4.0.Final
Release 2.4.0.Final Fixes CVE-2026-28367 CVE-2026-28368 CVE-2026-28369 Full list of Jiras: view in Jira
UNDERTOW-1593 Track processing time of in flight requests
UNDERTOW-1748 provide a way to "comment" a line in predicate language
UNDERTOW-1870 Hard-coded timeout for asynchronous HTTP requests - add async context timeout undertow option
UNDERTOW-1880 Undertow should support HTTP/2 connection management, wrt GOAWAY frame
UNDERTOW-1881 Add a new exchange attribute for SSL/TLS protocol version
UNDERTOW-2010 Provide method to invalidate all paths in CachingResourceManager
UNDERTOW-2242 Add UndertowOptions.ALLOW_ID_LESS_MATRIX_PARAMETERS
UNDERTOW-2273 Exchange Attribute parser doesn't handle nested attributes
UNDERTOW-2301 HTTP/2 cannot be configured on a per-listener basis
UNDERTOW-2319 Move io.undertow.multipart.minsize property to UndertowOptions
UNDERTOW-2553 Add rewriteHostHeader to ModCluster
UNDERTOW-2580 Support SameSite and custom cookie attributes
UNDERTOW-2696 Allow PathHandler to check for registered prefixes
UNDERTOW-2706 Add UndertowOptions_WEB_SOCKETS_READ_TIMEOUT
UNDERTOW-2584 Upgrade JBoss Threads to 3.9.1
UNDERTOW-2644 Upgrade wildfly openssl to 2.2.5.Final
UNDERTOW-1901 Add multipart support methods to ManagedServlet and HttpServerExchange signatures
UNDERTOW-1904 HttpSessionImpl use exception driven control
UNDERTOW-2110 Allow line breaks in predicates
UNDERTOW-2231 Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
UNDERTOW-2249 HttpClientConnection.sendRequest on a closed connection should result in a ClosedChannelException
UNDERTOW-2254 Include the HttpServerExchange in the HostSelector
UNDERTOW-2288 Ignore line breaks inside of predicate and handlers for better readability
UNDERTOW-2325 secure-cookie() handler doesn't pick up directly-added set-cookie headers
UNDERTOW-2335 Add an example of the PredicatesHandler and specifically the predicate handler parser
UNDERTOW-2404 Directory listing has no sort
UNDERTOW-2634 Add mime mappings for mp4, webm, flac, weba, csv and webp
UNDERTOW-2645 Remove uses of javax.security.cert
UNDERTOW-2660 Add RoutingHandler usage example
UNDERTOW-2714 Refactor Session.getSessionManager() -> SessionReference
UNDERTOW-2717 DirectyByteBufferDeallocator should avoid using ThreadLocal
UNDERTOW-2738 Move UndertowOptions to Cookies and clean up method signatures
UNDERTOW-1794 DefaultAccessLogReceiver violates Closeable contract
UNDERTOW-1874 ProxyForwardedTestCase and ProxyXForwardedTestCase should check results with DefaultServer.getDefaultServerAddress() instead of Socket.getLocalAddress()
UNDERTOW-2157 UndertowOutputStream.transferFrom appears to have a broken signature
UNDERTOW-2194 Cookie parsing/assembling does not work 100% correctly.
UNDERTOW-2269 Encode Query string on forward/include and properly handle merging
UNDERTOW-2358 QueryParameterAttribute doesn't update query string in exchange
UNDERTOW-2359 rewrite() handler does not keep query parameters and query string in sync correctly
UNDERTOW-2590 Support "rspauth" in Digest auth header
UNDERTOW-2594 CVE-2026-28368 Undertow splits header names from values on spaces
UNDERTOW-2595 CVE-2026-28369 Request Smuggling via Malformed HTTP Request Headers
UNDERTOW-2596 CVE-2026-28367 Request smuggling via `\r\r\r` as a header block terminator
UNDERTOW-2603 Quoted values and comma separator cookie parsing is broken
UNDERTOW-2616 request.getParts should throw unwrapped IOException
UNDERTOW-2662 Quoted cookie versions cannot be parsed correctly
UNDERTOW-2675 Make Undertow compatible with RFC6265
UNDERTOW-2686 HttpSession.Accessor can throw ISE if session identifier has since changed
UNDERTOW-2695 Inconsistent processing of different predicates
UNDERTOW-2700 Undertow worker threads stuck on ServletOutputStreamImpl.writeBlocking()
UNDERTOW-2712 The deprecated getRequestCookies() and getResponseCookies() need to return a valid map
UNDERTOW-2103 Enable open ssl building in CI
UNDERTOW-2523 Implement Jakarta Servlet 6.1
UNDERTOW-2646 Move servlet and websockets to Undertow EE
UNDERTOW-2650 Update CI and spotbugs-exclude to exclude ee files
UNDERTOW-2671 Update code headers
UNDERTOW-2684 Add SessionManager.isDistributed()
UNDERTOW-2651 Upgrade spot bugs to the latest
UNDERTOW-2725 Upgrade JBoss Threads to 3.9.2
UNDERTOW-2726 Upgrade JBoss Logging to 3.6.2.Final
UNDERTOW-2727 Upgrade Netty to 4.2.10.Final
UNDERTOW-2728 Upgrade Apache Felix Bundle plugin to 6.0.2
UNDERTOW-2730 Upgrade JBoss Class File Writer to 1.3.0.Final
UNDERTOW-2731 Upgrade JBoss Logging Processor to 3.0.0.Final
UNDERTOW-2732 Upgrade JBoss Log Manager to 3.1.2.Final
UNDERTOW-2733 Upgrade WildFly Common to 2.0.1
UNDERTOW-2735 Upgrade Apache HttpComponents to 4.5.14
UNDERTOW-2462 Create a default constant for UndertowOptions.ALLOW_ENCODED_HASH
UNDERTOW-2464 Create a default constant for UndertowOptions.DECODE_URL
UNDERTOW-2465 Fix UndertowOptions.URL_CHARSET Javadoc
UNDERTOW-2466 Create a default constant for UndertowOptions.ALWAYS_SET_KEEP_ALIVE
UNDERTOW-2467 Create a default constant for UndertowOptions.ALWAYS_SET_DATE
UNDERTOW-2473 Create a default constant for UndertowOptions.ENABLE_HTTP2
UNDERTOW-2474 Create a default constant for UndertowOptions.ENABLE_STATISTICS
UNDERTOW-2475 Mark UndertowOptions.ENABLE_CONNECTOR_STATISTICS for removal
UNDERTOW-2476 Create a default constant for UndertowOptions.ALLOW_UNKNOWN_PROTOCOLS
UNDERTOW-2481 Create a default constant for UndertowOptions.HTTP2_SETTINGS_INITIAL_WINDOW_SIZE
UNDERTOW-2483 Mark UndertowOptions.HTTP2_SETTINGS_MAX_HEADER_LIST_SIZE for removal
UNDERTOW-2484 Create a default constant for UndertowOptions.HTTP2_PADDING_SIZE
UNDERTOW-2485 Create a default constant for UndertowOptions.MAX_QUEUED_READ_BUFFERS
UNDERTOW-2491 Create a default constant for UndertowOptions.SSL_USER_CIPHER_SUITES_ORDER
UNDERTOW-2492 Create a default constant for UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL
UNDERTOW-2494 Create a default constant for UndertowOptions.QUEUED_FRAMES_HIGH_WATER_MARK
UNDERTOW-2495 Create a default constant for UndertowOptions.QUEUED_FRAMES_LOW_WATER_MARK
UNDERTOW-2635 BufferLeak errors in AbstractFramedChannel.receive()
UNDERTOW-2690 Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior
v.2.4.0.Beta1
Release 2.4.0.Beta1 Fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543 Full list of Jiras: view in Jira
Release Notes - Undertow - Version 2.4.0.Beta1
- [UNDERTOW-2464] - Create a default constant for UndertowOptions.DECODE_URL
- [UNDERTOW-2465] - Fix UndertowOptions.URL_CHARSET Javadoc
- [UNDERTOW-2466] - Create a default constant for UndertowOptions.ALWAYS_SET_KEEP_ALIVE
- [UNDERTOW-2467] - Create a default constant for UndertowOptions.ALWAYS_SET_DATE
- [UNDERTOW-2484] - Create a default constant for UndertowOptions.HTTP2_PADDING_SIZE
- [UNDERTOW-2491] - Create a default constant for UndertowOptions.SSL_USER_CIPHER_SUITES_ORDER
- [UNDERTOW-2492] - Create a default constant for UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL
- [UNDERTOW-2494] - Create a default constant for UndertowOptions.QUEUED_FRAMES_HIGH_WATER_MARK
- [UNDERTOW-2495] - Create a default constant for UndertowOptions.QUEUED_FRAMES_LOW_WATER_MARK
- [UNDERTOW-1881] - Add a new exchange attribute for SSL/TLS protocol version
- [UNDERTOW-2010] - Provide method to invalidate all paths in CachingResourceManager
- [UNDERTOW-2242] - Add UndertowOptions.ALLOW_ID_LESS_MATRIX_PARAMETERS
- [UNDERTOW-2319] - Move io.undertow.multipart.minsize property to UndertowOptions
- [UNDERTOW-2553] - Add rewriteHostHeader to ModCluster
- [UNDERTOW-2580] - Support SameSite and custom cookie attributes
- [UNDERTOW-2696] - Allow PathHandler to check for registered prefixes
- [UNDERTOW-2706] - Add UndertowOptions_WEB_SOCKETS_READ_TIMEOUT
- [UNDERTOW-1794] - DefaultAccessLogReceiver violates Closeable contract
- [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
- [UNDERTOW-2194] - Cookie parsing/assembling does not work 100% correctly.
- [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
- [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
- [UNDERTOW-2421] - ServletSessionConfig is missing support for arbitrary cookie attributes
- [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
- [UNDERTOW-2588] - Undertow response can still break in case of Java 17 TLSv1.3 NewSessionTicket
- [UNDERTOW-2590] - Support "rspauth" in Digest auth header
- [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
- [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
- [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
- [UNDERTOW-2662] - Quoted cookie versions cannot be parsed correctly
- [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
- [UNDERTOW-2676] - Do not set merged query parameters for includes and forwards on the exchange, only the request
- [UNDERTOW-2677] - MultipartParserDefinition overrides max entity size already set and configured from other sources
- [UNDERTOW-2686] - HttpSession.Accessor can throw ISE if session identifier has since changed
- [UNDERTOW-2710] - Some pom.xml files reference the removed undertow-servlet and undertow-websockets-jsr modules
- [UNDERTOW-2103] - Enable open ssl building in CI
- [UNDERTOW-2684] - Add SessionManager.isDistributed()
- [UNDERTOW-2690] - Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior
- [UNDERTOW-2644] - Upgrade wildfly openssl to 2.2.5.Final
- [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
- [UNDERTOW-2335] - Add an example of the PredicatesHandler and specifically the predicate handler parser
v.2.3.23.Final
Release 2.3.23.Final Full list of Jiras: view in Jira
Release Notes - Undertow - Version 2.3.23.Final
- [UNDERTOW-2192] - session.getServletContext returns wrong context with shared-session-config
- [UNDERTOW-2663] - Unclear Error Message When Max Session Limit is Exceeded
- [UNDERTOW-2677] - MultipartParserDefinition overrides max entity size already set and configured from other sources
- [UNDERTOW-2694] - Remove build.metadata file added by mistake
- [UNDERTOW-2690] - Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior
v.2.2.39.Final
Release 2.2.39.Final fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543 Full list of Jiras: view in Jira
Release Notes - Undertow - Version 2.2.39.Final
- [UNDERTOW-2490] - Improve the documentation of UndertowOptions.HTTP_HEADERS_CACHE_SIZE / DEFAULT_HTTP_HEADERS_CACHE_SIZE
- [UNDERTOW-1359] - HTTP2 - java.lang.IllegalStateException: UT000091: Buffer has already been freed
- [UNDERTOW-1561] - ServletContext.getResourcePaths() omits Resources that are not available directly on the file system
- [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
- [UNDERTOW-2165] - READ_TIMEOUT is not taken into account in HTTP2 listener
- [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
- [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
- [UNDERTOW-2534] - ClassLoader of deployed websockets application leaks to XnioWorker
- [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
- [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
- [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
- [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
- [UNDERTOW-2663] - Unclear Error Message When Max Session Limit is Exceeded
- [UNDERTOW-2668] - ServletRelativePathAttribute switch to %U from %R and return absolute path
- [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
- [UNDERTOW-2676] - Do not set merged query parameters for includes and forwards on the exchange, only the request
- [UNDERTOW-2677] - MultipartParserDefinition overrides max entity size already set and configured from other sources
- [UNDERTOW-2681] - TCCL when invoking annotated websocket endpoint methods doesn't expose deployment classes
- [UNDERTOW-2103] - Enable open ssl building in CI
- [UNDERTOW-2694] - Remove build.metadata file added by mistake
- [UNDERTOW-2690] - Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior
- [UNDERTOW-2652] - Upgrade wildfly openssl to 1.1.3.Final
- [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
- [UNDERTOW-2638] - Process all buffers in ChunkedStreamSinkConduit.write(ByteBuffer[], int, int)
- [UNDERTOW-2643] - At ServletOutputStreamImpl.close remove the conversion of int to String
v.2.3.22.Final
- [ UNDERTOW-2656 ] CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
- [ UNDERTOW-2676 ] Do not set merged query parameters for includes and forwards on the exchange, only the request
- [ UNDERTOW-2681 ] TCCL when invoking annotated websocket endpoint methods doesn't expose deployment classes
- [ UNDERTOW-2632 ] Make UnavailableServletTestCase.testTempUnavailableServlet idempotent
v2.3.21.Final
Release 2.3.21.Final fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543 Full list of Jiras: view in Jira
Release Notes - Undertow - Version 2.3.21.Final
- [UNDERTOW-2490] - Improve the documentation of UndertowOptions.HTTP_HEADERS_CACHE_SIZE / DEFAULT_HTTP_HEADERS_CACHE_SIZE
- [UNDERTOW-2580] - Support SameSite and custom cookie attributes
- [UNDERTOW-1359] - HTTP2 - java.lang.IllegalStateException: UT000091: Buffer has already been freed
- [UNDERTOW-1561] - ServletContext.getResourcePaths() omits Resources that are not available directly on the file system
- [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
- [UNDERTOW-2165] - READ_TIMEOUT is not taken into account in HTTP2 listener
- [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
- [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
- [UNDERTOW-2421] - ServletSessionConfig is missing support for arbitrary cookie attributes
- [UNDERTOW-2534] - ClassLoader of deployed websockets application leaks to XnioWorker
- [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
- [UNDERTOW-2591] - SSEHandler header Connection is set to close
- [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
- [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
- [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
- [UNDERTOW-2662] - Quoted cookie versions cannot be parsed correctly
- [UNDERTOW-2668] - ServletRelativePathAttribute switch to %U from %R and return absolute path
- [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
- [UNDERTOW-2675] - Make Undertow compatible with RFC6265
- [UNDERTOW-2103] - Enable open ssl building in CI
- [UNDERTOW-2653] - Add back servlets and websockets-jsr to Ci
- [UNDERTOW-2644] - Upgrade wildfly openssl to 2.2.5.Final
- [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
- [UNDERTOW-2638] - Process all buffers in ChunkedStreamSinkConduit.write(ByteBuffer[], int, int)
- [UNDERTOW-2643] - At ServletOutputStreamImpl.close remove the conversion of int to String
v2.4.0.Alpha1
Release 2.4.0.Alpha1 Full list of issues: view in Jira
Release Notes - Undertow - Version 2.4.0.Alpha1
- [UNDERTOW-2462] - Create a default constant for UndertowOptions.ALLOW_ENCODED_HASH
- [UNDERTOW-2473] - Create a default constant for UndertowOptions.ENABLE_HTTP2
- [UNDERTOW-2474] - Create a default constant for UndertowOptions.ENABLE_STATISTICS
- [UNDERTOW-2475] - Mark UndertowOptions.ENABLE_CONNECTOR_STATISTICS for removal
- [UNDERTOW-2476] - Create a default constant for UndertowOptions.ALLOW_UNKNOWN_PROTOCOLS
- [UNDERTOW-2481] - Create a default constant for UndertowOptions.HTTP2_SETTINGS_INITIAL_WINDOW_SIZE
- [UNDERTOW-2483] - Mark UndertowOptions.HTTP2_SETTINGS_MAX_HEADER_LIST_SIZE for removal
- [UNDERTOW-2485] - Create a default constant for UndertowOptions.MAX_QUEUED_READ_BUFFERS
- [UNDERTOW-1748] - provide a way to "comment" a line in predicate language
- [UNDERTOW-2273] - Exchange Attribute parser doesn't handle nested attributes
- [UNDERTOW-2301] - HTTP/2 cannot be configured on a per-listener basis
- [UNDERTOW-2523] - Implement Jakarta Servlet 6.1
- [UNDERTOW-2646] - Move servlet and websockets to Undertow EE
- [UNDERTOW-1901] - Add multipart support methods to ManagedServlet and HttpServerExchange signatures
- [UNDERTOW-1904] - HttpSessionImpl use exception driven control
- [UNDERTOW-2110] - Allow line breaks in predicates
- [UNDERTOW-2249] - HttpClientConnection.sendRequest on a closed connection should result in a ClosedChannelException
- [UNDERTOW-2254] - Include the HttpServerExchange in the HostSelector
- [UNDERTOW-2288] - Ignore line breaks inside of predicate and handlers for better readability
- [UNDERTOW-2325] - secure-cookie() handler doesn't pick up directly-added set-cookie headers
- [UNDERTOW-2404] - Directory listing has no sort
- [UNDERTOW-2634] - Add mime mappings for mp4, webm, flac, weba, csv and webp
v2.2.38.Final
Release 2.2.38.Final fixes CVE-2024-4109, CVE-2025-9784 Full list of issues: view in Jira
Release Notes - Undertow - Version 2.2.38.Final
- [UNDERTOW-2499] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.annotated
- [UNDERTOW-2501] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.dynamicupgrade
- [UNDERTOW-2503] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.reconnect
- [UNDERTOW-2504] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.security
- [UNDERTOW-2505] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.suspendresume
- [UNDERTOW-2506] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.stress
- [UNDERTOW-2518] - WebSocketTimeoutTestCase can fail on CI
- [UNDERTOW-2574] - BufferLeak on AbstractFramedChannel.allocateReferenceCountedBuffer
- [UNDERTOW-2585] - WebSocketStressTestCase runs indefinitely in 2.2.x CI
- [UNDERTOW-2235] - Properly handle non servlet methods dispatched as error into container
- [UNDERTOW-2340] - RequestEncodingHandler does not update Content-Length after uncompressing
- [UNDERTOW-2361] - Deflate request body support (content-encoding in request) does not work as expected
- [UNDERTOW-2509] - Unable to set correct HTTP response code when a file upload is too large.
- [UNDERTOW-2511] - CVE-2024-4109 undertow: information leakage via HTTP/2 request header reuse
- [UNDERTOW-2520] - Web socket codes for protocol error and wrong code are swapped
- [UNDERTOW-2532] - Websocket Session NPE
- [UNDERTOW-2538] - The Servlet ServletRelativePathAttribute has the same priority as the Core RelativePathAttribute
- [UNDERTOW-2547] - Perform gathering write in HttpRequestConduit to decrease latency
- [UNDERTOW-2555] - AJP Redirect with unescaped characters in URL is not encoded
- [UNDERTOW-2565] - HTTP2 sets exchange.queryString unencoded with allow unescaped characters in URL
- [UNDERTOW-2566] - HttpRequestParser.handleQueryParameters can set an encoded query string
- [UNDERTOW-2567] - Decoding of query strings with unescaped characters does not work in HTTP2 upgrade
- [UNDERTOW-2573] - MultiParseParserDefinition can overwrite entity size in exchange request
- [UNDERTOW-2576] - ProxyHandler can throw NullPointerException if the source address SocketAddress has no ip address
- [UNDERTOW-2597] - MultiPartParserDefinition must check for entity size larger than zero
- [UNDERTOW-2598] - CVE-2025-9784 MadeYouReset HTTP/2 DDoS Vulnerability
- [UNDERTOW-2604] - 2.3.19 regression w/ Java's HTTP client
- [UNDERTOW-2608] - Undertow Servlet 2.3.19 fails SecurityManager checks
- [UNDERTOW-2548] - Update action versions in workflow
- [UNDERTOW-2568] - Resolve build warnings
- [UNDERTOW-2569] - Use of the maven.compiler.release property as the javadoc version
- [UNDERTOW-2601] - Update pom to work with the new nexus deployment repository
- [UNDERTOW-2431] - Bump jboss-parent to 46 (2.3.x) /36 (2.2.x)
- [UNDERTOW-2371] - initialize the DefaultServer once to speed up test HttpContinueSslServletTestCase #1574
- [UNDERTOW-2522] - Investigate misleading build failures
- [UNDERTOW-2556] - Make sure max-post-size check for a request with a content-length is done before any response is sent from the server
- [UNDERTOW-2562] - AccessLogFileWithUnescapedCharactersTestCase does not clear UndertowOptions
- [UNDERTOW-2563] - DefaultServer used for tests should apply server options to all openListeners
- [UNDERTOW-2564] - Validate the signature of @BeforeServerStarts and @AfterServerStops methods
- [UNDERTOW-2607] - Syntax error in CONTRIBUTING.md file
v2.3.20.Final
Release 2.3.20.Final fixes CVE-2025-9784 Full list of issues: view in Jira
Release Notes - Undertow - Version 2.3.20.Final
- [UNDERTOW-2235] - Properly handle non servlet methods dispatched as error into container
- [UNDERTOW-2598] - CVE-2025-9784 MadeYouReset HTTP/2 DDoS Vulnerability
- [UNDERTOW-2604] - 2.3.19 regression w/ Java's HTTP client
- [UNDERTOW-2608] - Undertow Servlet 2.3.19 fails SecurityManager checks
- [UNDERTOW-2607] - Syntax error in CONTRIBUTING.md file