undertow-io/undertow 2.2.38.Final

v2.2.38.Final

on GitHub

Release 2.2.38.Final fixes CVE-2024-4109, CVE-2025-9784
Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.2.38.Final

Sub-task

• [UNDERTOW-2499] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.annotated
• [UNDERTOW-2501] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.dynamicupgrade
• [UNDERTOW-2503] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.reconnect
• [UNDERTOW-2504] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.security
• [UNDERTOW-2505] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.suspendresume
• [UNDERTOW-2506] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.stress
• [UNDERTOW-2518] - WebSocketTimeoutTestCase can fail on CI
• [UNDERTOW-2574] - BufferLeak on AbstractFramedChannel.allocateReferenceCountedBuffer
• [UNDERTOW-2585] - WebSocketStressTestCase runs indefinitely in 2.2.x CI

Bug

• [UNDERTOW-2235] - Properly handle non servlet methods dispatched as error into container
• [UNDERTOW-2340] - RequestEncodingHandler does not update Content-Length after uncompressing
• [UNDERTOW-2361] - Deflate request body support (content-encoding in request) does not work as expected
• [UNDERTOW-2509] - Unable to set correct HTTP response code when a file upload is too large.
• [UNDERTOW-2511] - CVE-2024-4109 undertow: information leakage via HTTP/2 request header reuse
• [UNDERTOW-2520] - Web socket codes for protocol error and wrong code are swapped
• [UNDERTOW-2532] - Websocket Session NPE
• [UNDERTOW-2538] - The Servlet ServletRelativePathAttribute has the same priority as the Core RelativePathAttribute
• [UNDERTOW-2547] - Perform gathering write in HttpRequestConduit to decrease latency
• [UNDERTOW-2555] - AJP Redirect with unescaped characters in URL is not encoded
• [UNDERTOW-2565] - HTTP2 sets exchange.queryString unencoded with allow unescaped characters in URL
• [UNDERTOW-2566] - HttpRequestParser.handleQueryParameters can set an encoded query string
• [UNDERTOW-2567] - Decoding of query strings with unescaped characters does not work in HTTP2 upgrade
• [UNDERTOW-2573] - MultiParseParserDefinition can overwrite entity size in exchange request
• [UNDERTOW-2576] - ProxyHandler can throw NullPointerException if the source address SocketAddress has no ip address
• [UNDERTOW-2597] - MultiPartParserDefinition must check for entity size larger than zero
• [UNDERTOW-2598] - CVE-2025-9784 MadeYouReset HTTP/2 DDoS Vulnerability
• [UNDERTOW-2604] - 2.3.19 regression w/ Java's HTTP client
• [UNDERTOW-2608] - Undertow Servlet 2.3.19 fails SecurityManager checks

Task

• [UNDERTOW-2548] - Update action versions in workflow
• [UNDERTOW-2568] - Resolve build warnings
• [UNDERTOW-2569] - Use of the maven.compiler.release property as the javadoc version
• [UNDERTOW-2601] - Update pom to work with the new nexus deployment repository

Component Upgrade

• [UNDERTOW-2431] - Bump jboss-parent to 46 (2.3.x) /36 (2.2.x)

Enhancement

• [UNDERTOW-2371] - initialize the DefaultServer once to speed up test HttpContinueSslServletTestCase #1574
• [UNDERTOW-2522] - Investigate misleading build failures
• [UNDERTOW-2556] - Make sure max-post-size check for a request with a content-length is done before any response is sent from the server
• [UNDERTOW-2562] - AccessLogFileWithUnescapedCharactersTestCase does not clear UndertowOptions
• [UNDERTOW-2563] - DefaultServer used for tests should apply server options to all openListeners
• [UNDERTOW-2564] - Validate the signature of @BeforeServerStarts and @AfterServerStops methods
• [UNDERTOW-2607] - Syntax error in CONTRIBUTING.md file