undertow-io/undertow 2.2.39.Final

v.2.2.39.Final

on GitHub

Release 2.2.39.Final fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543
Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.2.39.Final

Sub-task

• [UNDERTOW-2490] - Improve the documentation of UndertowOptions.HTTP_HEADERS_CACHE_SIZE / DEFAULT_HTTP_HEADERS_CACHE_SIZE

Bug

• [UNDERTOW-1359] - HTTP2 - java.lang.IllegalStateException: UT000091: Buffer has already been freed
• [UNDERTOW-1561] - ServletContext.getResourcePaths() omits Resources that are not available directly on the file system
• [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
• [UNDERTOW-2165] - READ_TIMEOUT is not taken into account in HTTP2 listener
• [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
• [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
• [UNDERTOW-2534] - ClassLoader of deployed websockets application leaks to XnioWorker
• [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
• [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
• [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
• [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
• [UNDERTOW-2663] - Unclear Error Message When Max Session Limit is Exceeded
• [UNDERTOW-2668] - ServletRelativePathAttribute switch to %U from %R and return absolute path
• [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
• [UNDERTOW-2676] - Do not set merged query parameters for includes and forwards on the exchange, only the request
• [UNDERTOW-2677] - MultipartParserDefinition overrides max entity size already set and configured from other sources
• [UNDERTOW-2681] - TCCL when invoking annotated websocket endpoint methods doesn't expose deployment classes

Task

• [UNDERTOW-2103] - Enable open ssl building in CI
• [UNDERTOW-2694] - Remove build.metadata file added by mistake

Clarification

• [UNDERTOW-2690] - Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior

Component Upgrade

• [UNDERTOW-2652] - Upgrade wildfly openssl to 1.1.3.Final

Enhancement

• [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
• [UNDERTOW-2638] - Process all buffers in ChunkedStreamSinkConduit.write(ByteBuffer[], int, int)
• [UNDERTOW-2643] - At ServletOutputStreamImpl.close remove the conversion of int to String