Improper Input Validation in io.undertow:undertow-core

CVE-2024-4027

io.undertow:undertow-core

High

7.5/10

Summary

A flaw was found in Undertow. Servlets using a method that calls "HttpServletRequestImpl.getParameterNames()" can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote Denial-of-Service (DoS) attack. Versions prior to 2.2.39.Final, 2.3.x.final prior to 2.3.21.Final and 2.4.0.Alpha1 are affected.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-20 - Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

Advisory
Pull request
Release Note
Issue

Advisory Timeline

Published Jan 30, 2026

Improper Input Validation in io.undertow:undertow-core

CVE-2024-4027

Summary

CWE-20 - Improper Input Validation

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS