undertow-io/undertow
 Watch   
 Star   
 Fork   
2026-05-19 00:10:28
undertow

v.2.4.1.Final

Release 2.4.1.Final Full list of Jiras: view in Jira

    # Release notes - Undertow - 2.4.1.Final

Bug

UNDERTOW-2763 As per RFC9112 reason-phrase is optional in HTTP 1.1 responses

Enhancement

UNDERTOW-2759 Enable testing in JDK25

UNDERTOW-2767 [2.4.x] UndertowMessages at core uses the wrong message id for fixes in new parser

2026-05-06 03:00:31
undertow

v.2.4.0.Final

Release 2.4.0.Final Fixes CVE-2026-28367 CVE-2026-28368 CVE-2026-28369 Full list of Jiras: view in Jira

Release notes - Undertow - 2.4.0.Final

Feature Request

UNDERTOW-1593 Track processing time of in flight requests

UNDERTOW-1748 provide a way to "comment" a line in predicate language

UNDERTOW-1870 Hard-coded timeout for asynchronous HTTP requests - add async context timeout undertow option

UNDERTOW-1880 Undertow should support HTTP/2 connection management, wrt GOAWAY frame

UNDERTOW-1881 Add a new exchange attribute for SSL/TLS protocol version

UNDERTOW-2010 Provide method to invalidate all paths in CachingResourceManager

UNDERTOW-2242 Add UndertowOptions.ALLOW_ID_LESS_MATRIX_PARAMETERS

UNDERTOW-2273 Exchange Attribute parser doesn't handle nested attributes

UNDERTOW-2301 HTTP/2 cannot be configured on a per-listener basis

UNDERTOW-2319 Move io.undertow.multipart.minsize property to UndertowOptions

UNDERTOW-2553 Add rewriteHostHeader to ModCluster

UNDERTOW-2580 Support SameSite and custom cookie attributes

UNDERTOW-2696 Allow PathHandler to check for registered prefixes

UNDERTOW-2706 Add UndertowOptions_WEB_SOCKETS_READ_TIMEOUT

Component Upgrade

UNDERTOW-2584 Upgrade JBoss Threads to 3.9.1

UNDERTOW-2644 Upgrade wildfly openssl to 2.2.5.Final

Enhancement

UNDERTOW-1901 Add multipart support methods to ManagedServlet and HttpServerExchange signatures

UNDERTOW-1904 HttpSessionImpl use exception driven control

UNDERTOW-2110 Allow line breaks in predicates

UNDERTOW-2231 Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown

UNDERTOW-2249 HttpClientConnection.sendRequest on a closed connection should result in a ClosedChannelException

UNDERTOW-2254 Include the HttpServerExchange in the HostSelector

UNDERTOW-2288 Ignore line breaks inside of predicate and handlers for better readability

UNDERTOW-2325 secure-cookie() handler doesn't pick up directly-added set-cookie headers

UNDERTOW-2335 Add an example of the PredicatesHandler and specifically the predicate handler parser

UNDERTOW-2404 Directory listing has no sort

UNDERTOW-2634 Add mime mappings for mp4, webm, flac, weba, csv and webp

UNDERTOW-2645 Remove uses of javax.security.cert

UNDERTOW-2660 Add RoutingHandler usage example

UNDERTOW-2714 Refactor Session.getSessionManager() -> SessionReference

UNDERTOW-2717 DirectyByteBufferDeallocator should avoid using ThreadLocal

UNDERTOW-2738 Move UndertowOptions to Cookies and clean up method signatures

Bug

UNDERTOW-1794 DefaultAccessLogReceiver violates Closeable contract

UNDERTOW-1874 ProxyForwardedTestCase and ProxyXForwardedTestCase should check results with DefaultServer.getDefaultServerAddress() instead of Socket.getLocalAddress()

UNDERTOW-2157 UndertowOutputStream.transferFrom appears to have a broken signature

UNDERTOW-2194 Cookie parsing/assembling does not work 100% correctly.

UNDERTOW-2269 Encode Query string on forward/include and properly handle merging

UNDERTOW-2358 QueryParameterAttribute doesn't update query string in exchange

UNDERTOW-2359 rewrite() handler does not keep query parameters and query string in sync correctly

UNDERTOW-2590 Support "rspauth" in Digest auth header

UNDERTOW-2594 CVE-2026-28368 Undertow splits header names from values on spaces

UNDERTOW-2595 CVE-2026-28369 Request Smuggling via Malformed HTTP Request Headers

UNDERTOW-2596 CVE-2026-28367 Request smuggling via `\r\r\r` as a header block terminator

UNDERTOW-2603 Quoted values and comma separator cookie parsing is broken

UNDERTOW-2616 request.getParts should throw unwrapped IOException

UNDERTOW-2662 Quoted cookie versions cannot be parsed correctly

UNDERTOW-2675 Make Undertow compatible with RFC6265

UNDERTOW-2686 HttpSession.Accessor can throw ISE if session identifier has since changed

UNDERTOW-2695 Inconsistent processing of different predicates

UNDERTOW-2700 Undertow worker threads stuck on ServletOutputStreamImpl.writeBlocking()

UNDERTOW-2712 The deprecated getRequestCookies() and getResponseCookies() need to return a valid map

Task

UNDERTOW-2103 Enable open ssl building in CI

UNDERTOW-2523 Implement Jakarta Servlet 6.1

UNDERTOW-2646 Move servlet and websockets to Undertow EE

UNDERTOW-2650 Update CI and spotbugs-exclude to exclude ee files

UNDERTOW-2671 Update code headers

UNDERTOW-2684 Add SessionManager.isDistributed()

Library Upgrade

UNDERTOW-2651 Upgrade spot bugs to the latest

UNDERTOW-2725 Upgrade JBoss Threads to 3.9.2

UNDERTOW-2726 Upgrade JBoss Logging to 3.6.2.Final

UNDERTOW-2727 Upgrade Netty to 4.2.10.Final

UNDERTOW-2728 Upgrade Apache Felix Bundle plugin to 6.0.2

UNDERTOW-2730 Upgrade JBoss Class File Writer to 1.3.0.Final

UNDERTOW-2731 Upgrade JBoss Logging Processor to 3.0.0.Final

UNDERTOW-2732 Upgrade JBoss Log Manager to 3.1.2.Final

UNDERTOW-2733 Upgrade WildFly Common to 2.0.1

UNDERTOW-2735 Upgrade Apache HttpComponents to 4.5.14

Sub-task

UNDERTOW-2462 Create a default constant for UndertowOptions.ALLOW_ENCODED_HASH

UNDERTOW-2464 Create a default constant for UndertowOptions.DECODE_URL

UNDERTOW-2465 Fix UndertowOptions.URL_CHARSET Javadoc

UNDERTOW-2466 Create a default constant for UndertowOptions.ALWAYS_SET_KEEP_ALIVE

UNDERTOW-2467 Create a default constant for UndertowOptions.ALWAYS_SET_DATE

UNDERTOW-2473 Create a default constant for UndertowOptions.ENABLE_HTTP2

UNDERTOW-2474 Create a default constant for UndertowOptions.ENABLE_STATISTICS

UNDERTOW-2475 Mark UndertowOptions.ENABLE_CONNECTOR_STATISTICS for removal

UNDERTOW-2476 Create a default constant for UndertowOptions.ALLOW_UNKNOWN_PROTOCOLS

UNDERTOW-2481 Create a default constant for UndertowOptions.HTTP2_SETTINGS_INITIAL_WINDOW_SIZE

UNDERTOW-2483 Mark UndertowOptions.HTTP2_SETTINGS_MAX_HEADER_LIST_SIZE for removal

UNDERTOW-2484 Create a default constant for UndertowOptions.HTTP2_PADDING_SIZE

UNDERTOW-2485 Create a default constant for UndertowOptions.MAX_QUEUED_READ_BUFFERS

UNDERTOW-2491 Create a default constant for UndertowOptions.SSL_USER_CIPHER_SUITES_ORDER

UNDERTOW-2492 Create a default constant for UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL

UNDERTOW-2494 Create a default constant for UndertowOptions.QUEUED_FRAMES_HIGH_WATER_MARK

UNDERTOW-2495 Create a default constant for UndertowOptions.QUEUED_FRAMES_LOW_WATER_MARK

UNDERTOW-2635 BufferLeak errors in AbstractFramedChannel.receive()

Clarification

UNDERTOW-2690 Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior

2026-02-19 01:16:30
undertow

v.2.4.0.Beta1

Release 2.4.0.Beta1 Fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543 Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.4.0.Beta1

Sub-task

  • [UNDERTOW-2464] - Create a default constant for UndertowOptions.DECODE_URL
  • [UNDERTOW-2465] - Fix UndertowOptions.URL_CHARSET Javadoc
  • [UNDERTOW-2466] - Create a default constant for UndertowOptions.ALWAYS_SET_KEEP_ALIVE
  • [UNDERTOW-2467] - Create a default constant for UndertowOptions.ALWAYS_SET_DATE
  • [UNDERTOW-2484] - Create a default constant for UndertowOptions.HTTP2_PADDING_SIZE
  • [UNDERTOW-2491] - Create a default constant for UndertowOptions.SSL_USER_CIPHER_SUITES_ORDER
  • [UNDERTOW-2492] - Create a default constant for UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL
  • [UNDERTOW-2494] - Create a default constant for UndertowOptions.QUEUED_FRAMES_HIGH_WATER_MARK
  • [UNDERTOW-2495] - Create a default constant for UndertowOptions.QUEUED_FRAMES_LOW_WATER_MARK

Feature Request

  • [UNDERTOW-1881] - Add a new exchange attribute for SSL/TLS protocol version
  • [UNDERTOW-2010] - Provide method to invalidate all paths in CachingResourceManager
  • [UNDERTOW-2242] - Add UndertowOptions.ALLOW_ID_LESS_MATRIX_PARAMETERS
  • [UNDERTOW-2319] - Move io.undertow.multipart.minsize property to UndertowOptions
  • [UNDERTOW-2553] - Add rewriteHostHeader to ModCluster
  • [UNDERTOW-2580] - Support SameSite and custom cookie attributes
  • [UNDERTOW-2696] - Allow PathHandler to check for registered prefixes
  • [UNDERTOW-2706] - Add UndertowOptions_WEB_SOCKETS_READ_TIMEOUT

Bug

  • [UNDERTOW-1794] - DefaultAccessLogReceiver violates Closeable contract
  • [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
  • [UNDERTOW-2194] - Cookie parsing/assembling does not work 100% correctly.
  • [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
  • [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
  • [UNDERTOW-2421] - ServletSessionConfig is missing support for arbitrary cookie attributes
  • [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
  • [UNDERTOW-2588] - Undertow response can still break in case of Java 17 TLSv1.3 NewSessionTicket
  • [UNDERTOW-2590] - Support "rspauth" in Digest auth header
  • [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
  • [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
  • [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
  • [UNDERTOW-2662] - Quoted cookie versions cannot be parsed correctly
  • [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
  • [UNDERTOW-2676] - Do not set merged query parameters for includes and forwards on the exchange, only the request
  • [UNDERTOW-2677] - MultipartParserDefinition overrides max entity size already set and configured from other sources
  • [UNDERTOW-2686] - HttpSession.Accessor can throw ISE if session identifier has since changed
  • [UNDERTOW-2710] - Some pom.xml files reference the removed undertow-servlet and undertow-websockets-jsr modules

Task

Clarification

  • [UNDERTOW-2690] - Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior

Component Upgrade

Enhancement

  • [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
  • [UNDERTOW-2335] - Add an example of the PredicatesHandler and specifically the predicate handler parser
2026-02-05 15:43:28
undertow

v.2.3.23.Final

Release 2.3.23.Final Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.3.23.Final

Bug

  • [UNDERTOW-2192] - session.getServletContext returns wrong context with shared-session-config
  • [UNDERTOW-2663] - Unclear Error Message When Max Session Limit is Exceeded
  • [UNDERTOW-2677] - MultipartParserDefinition overrides max entity size already set and configured from other sources

Task

Clarification

  • [UNDERTOW-2690] - Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior
2026-01-30 21:39:50
undertow

v.2.2.39.Final

Release 2.2.39.Final fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543 Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.2.39.Final

Sub-task

  • [UNDERTOW-2490] - Improve the documentation of UndertowOptions.HTTP_HEADERS_CACHE_SIZE / DEFAULT_HTTP_HEADERS_CACHE_SIZE

Bug

  • [UNDERTOW-1359] - HTTP2 - java.lang.IllegalStateException: UT000091: Buffer has already been freed
  • [UNDERTOW-1561] - ServletContext.getResourcePaths() omits Resources that are not available directly on the file system
  • [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
  • [UNDERTOW-2165] - READ_TIMEOUT is not taken into account in HTTP2 listener
  • [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
  • [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
  • [UNDERTOW-2534] - ClassLoader of deployed websockets application leaks to XnioWorker
  • [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
  • [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
  • [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
  • [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
  • [UNDERTOW-2663] - Unclear Error Message When Max Session Limit is Exceeded
  • [UNDERTOW-2668] - ServletRelativePathAttribute switch to %U from %R and return absolute path
  • [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
  • [UNDERTOW-2676] - Do not set merged query parameters for includes and forwards on the exchange, only the request
  • [UNDERTOW-2677] - MultipartParserDefinition overrides max entity size already set and configured from other sources
  • [UNDERTOW-2681] - TCCL when invoking annotated websocket endpoint methods doesn't expose deployment classes

Task

Clarification

  • [UNDERTOW-2690] - Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior

Component Upgrade

Enhancement

  • [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
  • [UNDERTOW-2638] - Process all buffers in ChunkedStreamSinkConduit.write(ByteBuffer[], int, int)
  • [UNDERTOW-2643] - At ServletOutputStreamImpl.close remove the conversion of int to String
2026-01-16 01:52:49
undertow

v.2.3.22.Final

Release Notes for Undertow

Includes versions: 2.3.22.Final,


Bug

  • [ UNDERTOW-2656 ] CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
  • [ UNDERTOW-2676 ] Do not set merged query parameters for includes and forwards on the exchange, only the request
  • [ UNDERTOW-2681 ] TCCL when invoking annotated websocket endpoint methods doesn't expose deployment classes

Enhancement

  • [ UNDERTOW-2632 ] Make UnavailableServletTestCase.testTempUnavailableServlet idempotent
2026-01-13 15:45:38
undertow

v2.3.21.Final

Release 2.3.21.Final fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543 Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.3.21.Final

Sub-task

  • [UNDERTOW-2490] - Improve the documentation of UndertowOptions.HTTP_HEADERS_CACHE_SIZE / DEFAULT_HTTP_HEADERS_CACHE_SIZE

Feature Request

  • [UNDERTOW-2580] - Support SameSite and custom cookie attributes

Bug

  • [UNDERTOW-1359] - HTTP2 - java.lang.IllegalStateException: UT000091: Buffer has already been freed
  • [UNDERTOW-1561] - ServletContext.getResourcePaths() omits Resources that are not available directly on the file system
  • [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
  • [UNDERTOW-2165] - READ_TIMEOUT is not taken into account in HTTP2 listener
  • [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
  • [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
  • [UNDERTOW-2421] - ServletSessionConfig is missing support for arbitrary cookie attributes
  • [UNDERTOW-2534] - ClassLoader of deployed websockets application leaks to XnioWorker
  • [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
  • [UNDERTOW-2591] - SSEHandler header Connection is set to close
  • [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
  • [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
  • [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
  • [UNDERTOW-2662] - Quoted cookie versions cannot be parsed correctly
  • [UNDERTOW-2668] - ServletRelativePathAttribute switch to %U from %R and return absolute path
  • [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
  • [UNDERTOW-2675] - Make Undertow compatible with RFC6265

Task

Component Upgrade

Enhancement

  • [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
  • [UNDERTOW-2638] - Process all buffers in ChunkedStreamSinkConduit.write(ByteBuffer[], int, int)
  • [UNDERTOW-2643] - At ServletOutputStreamImpl.close remove the conversion of int to String
2025-10-23 00:08:23
undertow

v2.4.0.Alpha1

Release 2.4.0.Alpha1 Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.4.0.Alpha1

Sub-task

  • [UNDERTOW-2462] - Create a default constant for UndertowOptions.ALLOW_ENCODED_HASH
  • [UNDERTOW-2473] - Create a default constant for UndertowOptions.ENABLE_HTTP2
  • [UNDERTOW-2474] - Create a default constant for UndertowOptions.ENABLE_STATISTICS
  • [UNDERTOW-2475] - Mark UndertowOptions.ENABLE_CONNECTOR_STATISTICS for removal
  • [UNDERTOW-2476] - Create a default constant for UndertowOptions.ALLOW_UNKNOWN_PROTOCOLS
  • [UNDERTOW-2481] - Create a default constant for UndertowOptions.HTTP2_SETTINGS_INITIAL_WINDOW_SIZE
  • [UNDERTOW-2483] - Mark UndertowOptions.HTTP2_SETTINGS_MAX_HEADER_LIST_SIZE for removal
  • [UNDERTOW-2485] - Create a default constant for UndertowOptions.MAX_QUEUED_READ_BUFFERS

Feature Request

  • [UNDERTOW-1748] - provide a way to "comment" a line in predicate language
  • [UNDERTOW-2273] - Exchange Attribute parser doesn't handle nested attributes
  • [UNDERTOW-2301] - HTTP/2 cannot be configured on a per-listener basis

Task

Enhancement

  • [UNDERTOW-1901] - Add multipart support methods to ManagedServlet and HttpServerExchange signatures
  • [UNDERTOW-1904] - HttpSessionImpl use exception driven control
  • [UNDERTOW-2110] - Allow line breaks in predicates
  • [UNDERTOW-2249] - HttpClientConnection.sendRequest on a closed connection should result in a ClosedChannelException
  • [UNDERTOW-2254] - Include the HttpServerExchange in the HostSelector
  • [UNDERTOW-2288] - Ignore line breaks inside of predicate and handlers for better readability
  • [UNDERTOW-2325] - secure-cookie() handler doesn't pick up directly-added set-cookie headers
  • [UNDERTOW-2404] - Directory listing has no sort
  • [UNDERTOW-2634] - Add mime mappings for mp4, webm, flac, weba, csv and webp
2025-10-12 08:21:54
undertow

v2.2.38.Final

Release 2.2.38.Final fixes CVE-2024-4109, CVE-2025-9784 Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.2.38.Final

Sub-task

  • [UNDERTOW-2499] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.annotated
  • [UNDERTOW-2501] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.dynamicupgrade
  • [UNDERTOW-2503] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.reconnect
  • [UNDERTOW-2504] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.security
  • [UNDERTOW-2505] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.suspendresume
  • [UNDERTOW-2506] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.stress
  • [UNDERTOW-2518] - WebSocketTimeoutTestCase can fail on CI
  • [UNDERTOW-2574] - BufferLeak on AbstractFramedChannel.allocateReferenceCountedBuffer
  • [UNDERTOW-2585] - WebSocketStressTestCase runs indefinitely in 2.2.x CI

Bug

  • [UNDERTOW-2235] - Properly handle non servlet methods dispatched as error into container
  • [UNDERTOW-2340] - RequestEncodingHandler does not update Content-Length after uncompressing
  • [UNDERTOW-2361] - Deflate request body support (content-encoding in request) does not work as expected
  • [UNDERTOW-2509] - Unable to set correct HTTP response code when a file upload is too large.
  • [UNDERTOW-2511] - CVE-2024-4109 undertow: information leakage via HTTP/2 request header reuse
  • [UNDERTOW-2520] - Web socket codes for protocol error and wrong code are swapped
  • [UNDERTOW-2532] - Websocket Session NPE
  • [UNDERTOW-2538] - The Servlet ServletRelativePathAttribute has the same priority as the Core RelativePathAttribute
  • [UNDERTOW-2547] - Perform gathering write in HttpRequestConduit to decrease latency
  • [UNDERTOW-2555] - AJP Redirect with unescaped characters in URL is not encoded
  • [UNDERTOW-2565] - HTTP2 sets exchange.queryString unencoded with allow unescaped characters in URL
  • [UNDERTOW-2566] - HttpRequestParser.handleQueryParameters can set an encoded query string
  • [UNDERTOW-2567] - Decoding of query strings with unescaped characters does not work in HTTP2 upgrade
  • [UNDERTOW-2573] - MultiParseParserDefinition can overwrite entity size in exchange request
  • [UNDERTOW-2576] - ProxyHandler can throw NullPointerException if the source address SocketAddress has no ip address
  • [UNDERTOW-2597] - MultiPartParserDefinition must check for entity size larger than zero
  • [UNDERTOW-2598] - CVE-2025-9784 MadeYouReset HTTP/2 DDoS Vulnerability
  • [UNDERTOW-2604] - 2.3.19 regression w/ Java's HTTP client
  • [UNDERTOW-2608] - Undertow Servlet 2.3.19 fails SecurityManager checks

Task

Component Upgrade

Enhancement

  • [UNDERTOW-2371] - initialize the DefaultServer once to speed up test HttpContinueSslServletTestCase #1574
  • [UNDERTOW-2522] - Investigate misleading build failures
  • [UNDERTOW-2556] - Make sure max-post-size check for a request with a content-length is done before any response is sent from the server
  • [UNDERTOW-2562] - AccessLogFileWithUnescapedCharactersTestCase does not clear UndertowOptions
  • [UNDERTOW-2563] - DefaultServer used for tests should apply server options to all openListeners
  • [UNDERTOW-2564] - Validate the signature of @BeforeServerStarts and @AfterServerStops methods
  • [UNDERTOW-2607] - Syntax error in CONTRIBUTING.md file
2025-10-10 16:40:11
undertow

v2.3.20.Final

Release 2.3.20.Final fixes CVE-2025-9784 Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.20.Final

Bug

  • [UNDERTOW-2235] - Properly handle non servlet methods dispatched as error into container
  • [UNDERTOW-2598] - CVE-2025-9784 MadeYouReset HTTP/2 DDoS Vulnerability
  • [UNDERTOW-2604] - 2.3.19 regression w/ Java's HTTP client
  • [UNDERTOW-2608] - Undertow Servlet 2.3.19 fails SecurityManager checks

Enhancement