github undertow-io/undertow 2.4.0.Beta1
v.2.4.0.Beta1
on GitHub

9 hours ago

Release 2.4.0.Beta1 Fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543
Full list of Jiras: view in Jira 

    Release Notes - Undertow - Version 2.4.0.Beta1

Sub-task

  • [UNDERTOW-2464] - Create a default constant for UndertowOptions.DECODE_URL
  • [UNDERTOW-2465] - Fix UndertowOptions.URL_CHARSET Javadoc
  • [UNDERTOW-2466] - Create a default constant for UndertowOptions.ALWAYS_SET_KEEP_ALIVE
  • [UNDERTOW-2467] - Create a default constant for UndertowOptions.ALWAYS_SET_DATE
  • [UNDERTOW-2484] - Create a default constant for UndertowOptions.HTTP2_PADDING_SIZE
  • [UNDERTOW-2491] - Create a default constant for UndertowOptions.SSL_USER_CIPHER_SUITES_ORDER
  • [UNDERTOW-2492] - Create a default constant for UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL
  • [UNDERTOW-2494] - Create a default constant for UndertowOptions.QUEUED_FRAMES_HIGH_WATER_MARK
  • [UNDERTOW-2495] - Create a default constant for UndertowOptions.QUEUED_FRAMES_LOW_WATER_MARK

Feature Request

  • [UNDERTOW-1881] - Add a new exchange attribute for SSL/TLS protocol version
  • [UNDERTOW-2010] - Provide method to invalidate all paths in CachingResourceManager
  • [UNDERTOW-2242] - Add UndertowOptions.ALLOW_ID_LESS_MATRIX_PARAMETERS
  • [UNDERTOW-2319] - Move io.undertow.multipart.minsize property to UndertowOptions
  • [UNDERTOW-2553] - Add rewriteHostHeader to ModCluster
  • [UNDERTOW-2580] - Support SameSite and custom cookie attributes
  • [UNDERTOW-2696] - Allow PathHandler to check for registered prefixes
  • [UNDERTOW-2706] - Add UndertowOptions_WEB_SOCKETS_READ_TIMEOUT

Bug

  • [UNDERTOW-1794] - DefaultAccessLogReceiver violates Closeable contract
  • [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
  • [UNDERTOW-2194] - Cookie parsing/assembling does not work 100% correctly.
  • [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
  • [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
  • [UNDERTOW-2421] - ServletSessionConfig is missing support for arbitrary cookie attributes
  • [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
  • [UNDERTOW-2588] - Undertow response can still break in case of Java 17 TLSv1.3 NewSessionTicket
  • [UNDERTOW-2590] - Support "rspauth" in Digest auth header
  • [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
  • [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
  • [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
  • [UNDERTOW-2662] - Quoted cookie versions cannot be parsed correctly
  • [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
  • [UNDERTOW-2676] - Do not set merged query parameters for includes and forwards on the exchange, only the request
  • [UNDERTOW-2677] - MultipartParserDefinition overrides max entity size already set and configured from other sources
  • [UNDERTOW-2686] - HttpSession.Accessor can throw ISE if session identifier has since changed
  • [UNDERTOW-2710] - Some pom.xml files reference the removed undertow-servlet and undertow-websockets-jsr modules

Task

Clarification

  • [UNDERTOW-2690] - Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior

Component Upgrade

Enhancement

  • [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
  • [UNDERTOW-2335] - Add an example of the PredicatesHandler and specifically the predicate handler parser
Check out latest releases or
releases around undertow-io/undertow 2.4.0.Beta1

Don't miss a new undertow release

NewReleases is sending notifications on new releases.

Get notifications