Release 2.3.23.Final Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.3.23.Final

• [UNDERTOW-2192] - session.getServletContext returns wrong context with shared-session-config
• [UNDERTOW-2663] - Unclear Error Message When Max Session Limit is Exceeded
• [UNDERTOW-2677] - MultipartParserDefinition overrides max entity size already set and configured from other sources

• [UNDERTOW-2694] - Remove build.metadata file added by mistake

• [UNDERTOW-2690] - Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior

Release 2.2.39.Final fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543 Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.2.39.Final

• [UNDERTOW-2490] - Improve the documentation of UndertowOptions.HTTP_HEADERS_CACHE_SIZE / DEFAULT_HTTP_HEADERS_CACHE_SIZE

• [UNDERTOW-1359] - HTTP2 - java.lang.IllegalStateException: UT000091: Buffer has already been freed
• [UNDERTOW-1561] - ServletContext.getResourcePaths() omits Resources that are not available directly on the file system
• [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
• [UNDERTOW-2165] - READ_TIMEOUT is not taken into account in HTTP2 listener
• [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
• [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
• [UNDERTOW-2534] - ClassLoader of deployed websockets application leaks to XnioWorker
• [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
• [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
• [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
• [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
• [UNDERTOW-2663] - Unclear Error Message When Max Session Limit is Exceeded
• [UNDERTOW-2668] - ServletRelativePathAttribute switch to %U from %R and return absolute path
• [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
• [UNDERTOW-2676] - Do not set merged query parameters for includes and forwards on the exchange, only the request
• [UNDERTOW-2677] - MultipartParserDefinition overrides max entity size already set and configured from other sources
• [UNDERTOW-2681] - TCCL when invoking annotated websocket endpoint methods doesn't expose deployment classes

• [UNDERTOW-2103] - Enable open ssl building in CI
• [UNDERTOW-2694] - Remove build.metadata file added by mistake

• [UNDERTOW-2690] - Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior

• [UNDERTOW-2652] - Upgrade wildfly openssl to 1.1.3.Final

• [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
• [UNDERTOW-2638] - Process all buffers in ChunkedStreamSinkConduit.write(ByteBuffer[], int, int)
• [UNDERTOW-2643] - At ServletOutputStreamImpl.close remove the conversion of int to String

• [ UNDERTOW-2656 ] CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
• [ UNDERTOW-2676 ] Do not set merged query parameters for includes and forwards on the exchange, only the request
• [ UNDERTOW-2681 ] TCCL when invoking annotated websocket endpoint methods doesn't expose deployment classes

• [ UNDERTOW-2632 ] Make UnavailableServletTestCase.testTempUnavailableServlet idempotent

Release 2.3.21.Final fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543 Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.3.21.Final

• [UNDERTOW-2490] - Improve the documentation of UndertowOptions.HTTP_HEADERS_CACHE_SIZE / DEFAULT_HTTP_HEADERS_CACHE_SIZE

• [UNDERTOW-2580] - Support SameSite and custom cookie attributes

• [UNDERTOW-1359] - HTTP2 - java.lang.IllegalStateException: UT000091: Buffer has already been freed
• [UNDERTOW-1561] - ServletContext.getResourcePaths() omits Resources that are not available directly on the file system
• [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
• [UNDERTOW-2165] - READ_TIMEOUT is not taken into account in HTTP2 listener
• [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
• [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
• [UNDERTOW-2421] - ServletSessionConfig is missing support for arbitrary cookie attributes
• [UNDERTOW-2534] - ClassLoader of deployed websockets application leaks to XnioWorker
• [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
• [UNDERTOW-2591] - SSEHandler header Connection is set to close
• [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
• [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
• [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
• [UNDERTOW-2662] - Quoted cookie versions cannot be parsed correctly
• [UNDERTOW-2668] - ServletRelativePathAttribute switch to %U from %R and return absolute path
• [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
• [UNDERTOW-2675] - Make Undertow compatible with RFC6265

• [UNDERTOW-2103] - Enable open ssl building in CI
• [UNDERTOW-2653] - Add back servlets and websockets-jsr to Ci

• [UNDERTOW-2644] - Upgrade wildfly openssl to 2.2.5.Final

• [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
• [UNDERTOW-2638] - Process all buffers in ChunkedStreamSinkConduit.write(ByteBuffer[], int, int)
• [UNDERTOW-2643] - At ServletOutputStreamImpl.close remove the conversion of int to String

Release 2.4.0.Alpha1 Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.4.0.Alpha1

• [UNDERTOW-2462] - Create a default constant for UndertowOptions.ALLOW_ENCODED_HASH
• [UNDERTOW-2473] - Create a default constant for UndertowOptions.ENABLE_HTTP2
• [UNDERTOW-2474] - Create a default constant for UndertowOptions.ENABLE_STATISTICS
• [UNDERTOW-2475] - Mark UndertowOptions.ENABLE_CONNECTOR_STATISTICS for removal
• [UNDERTOW-2476] - Create a default constant for UndertowOptions.ALLOW_UNKNOWN_PROTOCOLS
• [UNDERTOW-2481] - Create a default constant for UndertowOptions.HTTP2_SETTINGS_INITIAL_WINDOW_SIZE
• [UNDERTOW-2483] - Mark UndertowOptions.HTTP2_SETTINGS_MAX_HEADER_LIST_SIZE for removal
• [UNDERTOW-2485] - Create a default constant for UndertowOptions.MAX_QUEUED_READ_BUFFERS

• [UNDERTOW-1748] - provide a way to "comment" a line in predicate language
• [UNDERTOW-2273] - Exchange Attribute parser doesn't handle nested attributes
• [UNDERTOW-2301] - HTTP/2 cannot be configured on a per-listener basis

• [UNDERTOW-2523] - Implement Jakarta Servlet 6.1
• [UNDERTOW-2646] - Move servlet and websockets to Undertow EE

• [UNDERTOW-1901] - Add multipart support methods to ManagedServlet and HttpServerExchange signatures
• [UNDERTOW-1904] - HttpSessionImpl use exception driven control
• [UNDERTOW-2110] - Allow line breaks in predicates
• [UNDERTOW-2249] - HttpClientConnection.sendRequest on a closed connection should result in a ClosedChannelException
• [UNDERTOW-2254] - Include the HttpServerExchange in the HostSelector
• [UNDERTOW-2288] - Ignore line breaks inside of predicate and handlers for better readability
• [UNDERTOW-2325] - secure-cookie() handler doesn't pick up directly-added set-cookie headers
• [UNDERTOW-2404] - Directory listing has no sort
• [UNDERTOW-2634] - Add mime mappings for mp4, webm, flac, weba, csv and webp

Release 2.2.38.Final fixes CVE-2024-4109, CVE-2025-9784 Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.2.38.Final

• [UNDERTOW-2499] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.annotated
• [UNDERTOW-2501] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.dynamicupgrade
• [UNDERTOW-2503] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.reconnect
• [UNDERTOW-2504] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.security
• [UNDERTOW-2505] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.suspendresume
• [UNDERTOW-2506] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.stress
• [UNDERTOW-2518] - WebSocketTimeoutTestCase can fail on CI
• [UNDERTOW-2574] - BufferLeak on AbstractFramedChannel.allocateReferenceCountedBuffer
• [UNDERTOW-2585] - WebSocketStressTestCase runs indefinitely in 2.2.x CI

• [UNDERTOW-2235] - Properly handle non servlet methods dispatched as error into container
• [UNDERTOW-2340] - RequestEncodingHandler does not update Content-Length after uncompressing
• [UNDERTOW-2361] - Deflate request body support (content-encoding in request) does not work as expected
• [UNDERTOW-2509] - Unable to set correct HTTP response code when a file upload is too large.
• [UNDERTOW-2511] - CVE-2024-4109 undertow: information leakage via HTTP/2 request header reuse
• [UNDERTOW-2520] - Web socket codes for protocol error and wrong code are swapped
• [UNDERTOW-2532] - Websocket Session NPE
• [UNDERTOW-2538] - The Servlet ServletRelativePathAttribute has the same priority as the Core RelativePathAttribute
• [UNDERTOW-2547] - Perform gathering write in HttpRequestConduit to decrease latency
• [UNDERTOW-2555] - AJP Redirect with unescaped characters in URL is not encoded
• [UNDERTOW-2565] - HTTP2 sets exchange.queryString unencoded with allow unescaped characters in URL
• [UNDERTOW-2566] - HttpRequestParser.handleQueryParameters can set an encoded query string
• [UNDERTOW-2567] - Decoding of query strings with unescaped characters does not work in HTTP2 upgrade
• [UNDERTOW-2573] - MultiParseParserDefinition can overwrite entity size in exchange request
• [UNDERTOW-2576] - ProxyHandler can throw NullPointerException if the source address SocketAddress has no ip address
• [UNDERTOW-2597] - MultiPartParserDefinition must check for entity size larger than zero
• [UNDERTOW-2598] - CVE-2025-9784 MadeYouReset HTTP/2 DDoS Vulnerability
• [UNDERTOW-2604] - 2.3.19 regression w/ Java's HTTP client
• [UNDERTOW-2608] - Undertow Servlet 2.3.19 fails SecurityManager checks

• [UNDERTOW-2548] - Update action versions in workflow
• [UNDERTOW-2568] - Resolve build warnings
• [UNDERTOW-2569] - Use of the maven.compiler.release property as the javadoc version
• [UNDERTOW-2601] - Update pom to work with the new nexus deployment repository

• [UNDERTOW-2431] - Bump jboss-parent to 46 (2.3.x) /36 (2.2.x)

• [UNDERTOW-2371] - initialize the DefaultServer once to speed up test HttpContinueSslServletTestCase #1574
• [UNDERTOW-2522] - Investigate misleading build failures
• [UNDERTOW-2556] - Make sure max-post-size check for a request with a content-length is done before any response is sent from the server
• [UNDERTOW-2562] - AccessLogFileWithUnescapedCharactersTestCase does not clear UndertowOptions
• [UNDERTOW-2563] - DefaultServer used for tests should apply server options to all openListeners
• [UNDERTOW-2564] - Validate the signature of @BeforeServerStarts and @AfterServerStops methods
• [UNDERTOW-2607] - Syntax error in CONTRIBUTING.md file

Release 2.3.20.Final fixes CVE-2025-9784 Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.20.Final

• [UNDERTOW-2235] - Properly handle non servlet methods dispatched as error into container
• [UNDERTOW-2598] - CVE-2025-9784 MadeYouReset HTTP/2 DDoS Vulnerability
• [UNDERTOW-2604] - 2.3.19 regression w/ Java's HTTP client
• [UNDERTOW-2608] - Undertow Servlet 2.3.19 fails SecurityManager checks

• [UNDERTOW-2607] - Syntax error in CONTRIBUTING.md file

Release 2.3.19.Final fixes CVE-2024-4109 Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.19.Final

• [UNDERTOW-2499] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.annotated
• [UNDERTOW-2501] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.dynamicupgrade
• [UNDERTOW-2502] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.extension
• [UNDERTOW-2503] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.reconnect
• [UNDERTOW-2504] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.security
• [UNDERTOW-2505] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.suspendresume
• [UNDERTOW-2506] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.stress
• [UNDERTOW-2518] - WebSocketTimeoutTestCase can fail on CI
• [UNDERTOW-2574] - BufferLeak on AbstractFramedChannel.allocateReferenceCountedBuffer

• [UNDERTOW-2340] - RequestEncodingHandler does not update Content-Length after uncompressing
• [UNDERTOW-2361] - Deflate request body support (content-encoding in request) does not work as expected
• [UNDERTOW-2457] - Bytes may get lost across ProxyProtocolReadListener parsing invocations for v1
• [UNDERTOW-2509] - Unable to set correct HTTP response code when a file upload is too large.
• [UNDERTOW-2511] - CVE-2024-4109 undertow: information leakage via HTTP/2 request header reuse
• [UNDERTOW-2520] - Web socket codes for protocol error and wrong code are swapped
• [UNDERTOW-2532] - Websocket Session NPE
• [UNDERTOW-2538] - The Servlet ServletRelativePathAttribute has the same priority as the Core RelativePathAttribute
• [UNDERTOW-2547] - Perform gathering write in HttpRequestConduit to decrease latency
• [UNDERTOW-2555] - AJP Redirect with unescaped characters in URL is not encoded
• [UNDERTOW-2565] - HTTP2 sets exchange.queryString unencoded with allow unescaped characters in URL
• [UNDERTOW-2566] - HttpRequestParser.handleQueryParameters can set an encoded query string
• [UNDERTOW-2567] - Decoding of query strings with unescaped characters does not work in HTTP2 upgrade
• [UNDERTOW-2573] - MultiParseParserDefinition can overwrite entity size in exchange request
• [UNDERTOW-2576] - ProxyHandler can throw NullPointerException if the source address SocketAddress has no ip address
• [UNDERTOW-2597] - MultiPartParserDefinition must check for entity size larger than zero

• [UNDERTOW-2548] - Update action versions in workflow
• [UNDERTOW-2568] - Resolve build warnings
• [UNDERTOW-2569] - Use of the maven.compiler.release property as the javadoc version
• [UNDERTOW-2600] - Upgrade jboss-parent pom to 50
• [UNDERTOW-2601] - Update pom to work with the new nexus deployment repository

• [UNDERTOW-2431] - Bump jboss-parent to 46 (2.3.x) /36 (2.2.x)
• [UNDERTOW-2570] - Upgrade jboss-parent pom to 49
• [UNDERTOW-2586] - Upgrade JBoss Threads to 3.7.0.Final

• [UNDERTOW-2371] - initialize the DefaultServer once to speed up test HttpContinueSslServletTestCase #1574
• [UNDERTOW-2432] - Bump javadoc plugin to 3.3.0+ in maintenance branches
• [UNDERTOW-2522] - Investigate misleading build failures
• [UNDERTOW-2556] - Make sure max-post-size check for a request with a content-length is done before any response is sent from the server
• [UNDERTOW-2562] - AccessLogFileWithUnescapedCharactersTestCase does not clear UndertowOptions
• [UNDERTOW-2563] - DefaultServer used for tests should apply server options to all openListeners
• [UNDERTOW-2564] - Validate the signature of @BeforeServerStarts and @AfterServerStops methods
• [UNDERTOW-2571] - Fix util.Security actions as it does not take into account "default"

Undertow release 2.2.37.Final Full list of Issues: see on Jira

    Release Notes - Undertow - Version 2.2.37.Final

• [UNDERTOW-2333] - Undertow read/write timeout should not apply to WebSockets or SSE
• [UNDERTOW-2412] - Read stored json with default UTF-8 encoding
• [UNDERTOW-2422] - Response Status Line protocol is hard-coded to "HTTP/1.1"
• [UNDERTOW-2436] - Race condition for HttpServerExchange state allows missed FLAG_REQUEST_TERMINATED flag with async requests and subsequent connection stall
• [UNDERTOW-2444] - H2 violation of protocol specification in RST_STREAM scenarios
• [UNDERTOW-2445] - CI Build is broken: actions/upload-artifact v1 and v2 are deprecated
• [UNDERTOW-2446] - HttpServletRequestImpl.getParts may throw exception after already loading parts
• [UNDERTOW-2448] - Broken responses after UNDERTOW-2425
• [UNDERTOW-2457] - Bytes may get lost across ProxyProtocolReadListener parsing invocations for v1

Release 2.3.18.Final Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.18.Final

• [UNDERTOW-2333] - Undertow read/write timeout should not apply to WebSockets or SSE
• [UNDERTOW-2412] - Read stored json with default UTF-8 encoding
• [UNDERTOW-2422] - Response Status Line protocol is hard-coded to "HTTP/1.1"
• [UNDERTOW-2436] - Race condition for HttpServerExchange state allows missed FLAG_REQUEST_TERMINATED flag with async requests and subsequent connection stall
• [UNDERTOW-2444] - H2 violation of protocol specification in RST_STREAM scenarios
• [UNDERTOW-2445] - CI Build is broken: actions/upload-artifact v1 and v2 are deprecated
• [UNDERTOW-2446] - HttpServletRequestImpl.getParts may throw exception after already loading parts
• [UNDERTOW-2448] - Broken responses after UNDERTOW-2425