v2.4.0.Alpha1

Release 2.4.0.Alpha1
Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.4.0.Alpha1

Sub-task

• [UNDERTOW-2462] - Create a default constant for UndertowOptions.ALLOW_ENCODED_HASH
• [UNDERTOW-2473] - Create a default constant for UndertowOptions.ENABLE_HTTP2
• [UNDERTOW-2474] - Create a default constant for UndertowOptions.ENABLE_STATISTICS
• [UNDERTOW-2475] - Mark UndertowOptions.ENABLE_CONNECTOR_STATISTICS for removal
• [UNDERTOW-2476] - Create a default constant for UndertowOptions.ALLOW_UNKNOWN_PROTOCOLS
• [UNDERTOW-2481] - Create a default constant for UndertowOptions.HTTP2_SETTINGS_INITIAL_WINDOW_SIZE
• [UNDERTOW-2483] - Mark UndertowOptions.HTTP2_SETTINGS_MAX_HEADER_LIST_SIZE for removal
• [UNDERTOW-2485] - Create a default constant for UndertowOptions.MAX_QUEUED_READ_BUFFERS

Feature Request

• [UNDERTOW-1748] - provide a way to "comment" a line in predicate language
• [UNDERTOW-2273] - Exchange Attribute parser doesn't handle nested attributes
• [UNDERTOW-2301] - HTTP/2 cannot be configured on a per-listener basis

Task

• [UNDERTOW-2523] - Implement Jakarta Servlet 6.1
• [UNDERTOW-2646] - Move servlet and websockets to Undertow EE

Enhancement

• [UNDERTOW-1901] - Add multipart support methods to ManagedServlet and HttpServerExchange signatures
• [UNDERTOW-1904] - HttpSessionImpl use exception driven control
• [UNDERTOW-2110] - Allow line breaks in predicates
• [UNDERTOW-2249] - HttpClientConnection.sendRequest on a closed connection should result in a ClosedChannelException
• [UNDERTOW-2254] - Include the HttpServerExchange in the HostSelector
• [UNDERTOW-2288] - Ignore line breaks inside of predicate and handlers for better readability
• [UNDERTOW-2325] - secure-cookie() handler doesn't pick up directly-added set-cookie headers
• [UNDERTOW-2404] - Directory listing has no sort
• [UNDERTOW-2634] - Add mime mappings for mp4, webm, flac, weba, csv and webp

v2.2.38.Final

Release 2.2.38.Final fixes CVE-2024-4109, CVE-2025-9784
Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.2.38.Final

Sub-task

• [UNDERTOW-2499] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.annotated
• [UNDERTOW-2501] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.dynamicupgrade
• [UNDERTOW-2503] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.reconnect
• [UNDERTOW-2504] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.security
• [UNDERTOW-2505] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.suspendresume
• [UNDERTOW-2506] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.stress
• [UNDERTOW-2518] - WebSocketTimeoutTestCase can fail on CI
• [UNDERTOW-2574] - BufferLeak on AbstractFramedChannel.allocateReferenceCountedBuffer
• [UNDERTOW-2585] - WebSocketStressTestCase runs indefinitely in 2.2.x CI

Bug

• [UNDERTOW-2235] - Properly handle non servlet methods dispatched as error into container
• [UNDERTOW-2340] - RequestEncodingHandler does not update Content-Length after uncompressing
• [UNDERTOW-2361] - Deflate request body support (content-encoding in request) does not work as expected
• [UNDERTOW-2509] - Unable to set correct HTTP response code when a file upload is too large.
• [UNDERTOW-2511] - CVE-2024-4109 undertow: information leakage via HTTP/2 request header reuse
• [UNDERTOW-2520] - Web socket codes for protocol error and wrong code are swapped
• [UNDERTOW-2532] - Websocket Session NPE
• [UNDERTOW-2538] - The Servlet ServletRelativePathAttribute has the same priority as the Core RelativePathAttribute
• [UNDERTOW-2547] - Perform gathering write in HttpRequestConduit to decrease latency
• [UNDERTOW-2555] - AJP Redirect with unescaped characters in URL is not encoded
• [UNDERTOW-2565] - HTTP2 sets exchange.queryString unencoded with allow unescaped characters in URL
• [UNDERTOW-2566] - HttpRequestParser.handleQueryParameters can set an encoded query string
• [UNDERTOW-2567] - Decoding of query strings with unescaped characters does not work in HTTP2 upgrade
• [UNDERTOW-2573] - MultiParseParserDefinition can overwrite entity size in exchange request
• [UNDERTOW-2576] - ProxyHandler can throw NullPointerException if the source address SocketAddress has no ip address
• [UNDERTOW-2597] - MultiPartParserDefinition must check for entity size larger than zero
• [UNDERTOW-2598] - CVE-2025-9784 MadeYouReset HTTP/2 DDoS Vulnerability
• [UNDERTOW-2604] - 2.3.19 regression w/ Java's HTTP client
• [UNDERTOW-2608] - Undertow Servlet 2.3.19 fails SecurityManager checks

Task

• [UNDERTOW-2548] - Update action versions in workflow
• [UNDERTOW-2568] - Resolve build warnings
• [UNDERTOW-2569] - Use of the maven.compiler.release property as the javadoc version
• [UNDERTOW-2601] - Update pom to work with the new nexus deployment repository

Component Upgrade

• [UNDERTOW-2431] - Bump jboss-parent to 46 (2.3.x) /36 (2.2.x)

Enhancement

• [UNDERTOW-2371] - initialize the DefaultServer once to speed up test HttpContinueSslServletTestCase #1574
• [UNDERTOW-2522] - Investigate misleading build failures
• [UNDERTOW-2556] - Make sure max-post-size check for a request with a content-length is done before any response is sent from the server
• [UNDERTOW-2562] - AccessLogFileWithUnescapedCharactersTestCase does not clear UndertowOptions
• [UNDERTOW-2563] - DefaultServer used for tests should apply server options to all openListeners
• [UNDERTOW-2564] - Validate the signature of @BeforeServerStarts and @AfterServerStops methods
• [UNDERTOW-2607] - Syntax error in CONTRIBUTING.md file

v2.3.20.Final

Release 2.3.20.Final fixes CVE-2025-9784
Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.20.Final

Bug

• [UNDERTOW-2235] - Properly handle non servlet methods dispatched as error into container
• [UNDERTOW-2598] - CVE-2025-9784 MadeYouReset HTTP/2 DDoS Vulnerability
• [UNDERTOW-2604] - 2.3.19 regression w/ Java's HTTP client
• [UNDERTOW-2608] - Undertow Servlet 2.3.19 fails SecurityManager checks

Enhancement

• [UNDERTOW-2607] - Syntax error in CONTRIBUTING.md file

v.2.3.19.Final

Release 2.3.19.Final fixes CVE-2024-4109
Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.19.Final

Sub-task

• [UNDERTOW-2499] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.annotated
• [UNDERTOW-2501] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.dynamicupgrade
• [UNDERTOW-2502] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.extension
• [UNDERTOW-2503] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.reconnect
• [UNDERTOW-2504] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.security
• [UNDERTOW-2505] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.suspendresume
• [UNDERTOW-2506] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.stress
• [UNDERTOW-2518] - WebSocketTimeoutTestCase can fail on CI
• [UNDERTOW-2574] - BufferLeak on AbstractFramedChannel.allocateReferenceCountedBuffer

Bug

• [UNDERTOW-2340] - RequestEncodingHandler does not update Content-Length after uncompressing
• [UNDERTOW-2361] - Deflate request body support (content-encoding in request) does not work as expected
• [UNDERTOW-2457] - Bytes may get lost across ProxyProtocolReadListener parsing invocations for v1
• [UNDERTOW-2509] - Unable to set correct HTTP response code when a file upload is too large.
• [UNDERTOW-2511] - CVE-2024-4109 undertow: information leakage via HTTP/2 request header reuse
• [UNDERTOW-2520] - Web socket codes for protocol error and wrong code are swapped
• [UNDERTOW-2532] - Websocket Session NPE
• [UNDERTOW-2538] - The Servlet ServletRelativePathAttribute has the same priority as the Core RelativePathAttribute
• [UNDERTOW-2547] - Perform gathering write in HttpRequestConduit to decrease latency
• [UNDERTOW-2555] - AJP Redirect with unescaped characters in URL is not encoded
• [UNDERTOW-2565] - HTTP2 sets exchange.queryString unencoded with allow unescaped characters in URL
• [UNDERTOW-2566] - HttpRequestParser.handleQueryParameters can set an encoded query string
• [UNDERTOW-2567] - Decoding of query strings with unescaped characters does not work in HTTP2 upgrade
• [UNDERTOW-2573] - MultiParseParserDefinition can overwrite entity size in exchange request
• [UNDERTOW-2576] - ProxyHandler can throw NullPointerException if the source address SocketAddress has no ip address
• [UNDERTOW-2597] - MultiPartParserDefinition must check for entity size larger than zero

Task

• [UNDERTOW-2548] - Update action versions in workflow
• [UNDERTOW-2568] - Resolve build warnings
• [UNDERTOW-2569] - Use of the maven.compiler.release property as the javadoc version
• [UNDERTOW-2600] - Upgrade jboss-parent pom to 50
• [UNDERTOW-2601] - Update pom to work with the new nexus deployment repository

Component Upgrade

• [UNDERTOW-2431] - Bump jboss-parent to 46 (2.3.x) /36 (2.2.x)
• [UNDERTOW-2570] - Upgrade jboss-parent pom to 49
• [UNDERTOW-2586] - Upgrade JBoss Threads to 3.7.0.Final

Enhancement

• [UNDERTOW-2371] - initialize the DefaultServer once to speed up test HttpContinueSslServletTestCase #1574
• [UNDERTOW-2432] - Bump javadoc plugin to 3.3.0+ in maintenance branches
• [UNDERTOW-2522] - Investigate misleading build failures
• [UNDERTOW-2556] - Make sure max-post-size check for a request with a content-length is done before any response is sent from the server
• [UNDERTOW-2562] - AccessLogFileWithUnescapedCharactersTestCase does not clear UndertowOptions
• [UNDERTOW-2563] - DefaultServer used for tests should apply server options to all openListeners
• [UNDERTOW-2564] - Validate the signature of @BeforeServerStarts and @AfterServerStops methods
• [UNDERTOW-2571] - Fix util.Security actions as it does not take into account "default"

v.2.3.18.Final

Release 2.3.18.Final
Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.18.Final

Bug

• [UNDERTOW-2333] - Undertow read/write timeout should not apply to WebSockets or SSE
• [UNDERTOW-2412] - Read stored json with default UTF-8 encoding
• [UNDERTOW-2422] - Response Status Line protocol is hard-coded to "HTTP/1.1"
• [UNDERTOW-2436] - Race condition for HttpServerExchange state allows missed FLAG_REQUEST_TERMINATED flag with async requests and subsequent connection stall
• [UNDERTOW-2444] - H2 violation of protocol specification in RST_STREAM scenarios
• [UNDERTOW-2445] - CI Build is broken: actions/upload-artifact v1 and v2 are deprecated
• [UNDERTOW-2446] - HttpServletRequestImpl.getParts may throw exception after already loading parts
• [UNDERTOW-2448] - Broken responses after UNDERTOW-2425

v2.2.37.Final

Undertow release 2.2.37.Final
Full list of Issues: see on Jira

    Release Notes - Undertow - Version 2.2.37.Final

Bug

• [UNDERTOW-2333] - Undertow read/write timeout should not apply to WebSockets or SSE
• [UNDERTOW-2412] - Read stored json with default UTF-8 encoding
• [UNDERTOW-2422] - Response Status Line protocol is hard-coded to "HTTP/1.1"
• [UNDERTOW-2436] - Race condition for HttpServerExchange state allows missed FLAG_REQUEST_TERMINATED flag with async requests and subsequent connection stall
• [UNDERTOW-2444] - H2 violation of protocol specification in RST_STREAM scenarios
• [UNDERTOW-2445] - CI Build is broken: actions/upload-artifact v1 and v2 are deprecated
• [UNDERTOW-2446] - HttpServletRequestImpl.getParts may throw exception after already loading parts
• [UNDERTOW-2448] - Broken responses after UNDERTOW-2425
• [UNDERTOW-2457] - Bytes may get lost across ProxyProtocolReadListener parsing invocations for v1

v2.2.36.Final

Includes CVES: CVE-2024-7885

    Release Notes - Undertow - Version 2.2.36.Final

Bug

• [UNDERTOW-2429] - CVE-2024-7885 undertow: Improper State Management in Proxy Protocol parsing causes information leakage

Enhancement

• [UNDERTOW-2432] - Bump javadoc plugin to 3.3.0+ in maintenance branches

v2.3.17.Final

Includes CVEs: CVE-2024-7885

    Release Notes - Undertow - Version 2.3.17.Final

Bug

• [UNDERTOW-2429] - CVE-2024-7885 undertow: Improper State Management in Proxy Protocol parsing causes information leakage

v2.3.16.Final

    Release Notes - Undertow - Version 2.3.16.Final

Bug

• [UNDERTOW-2256] - Resource predicate presentation differs depending on how it is set up
• [UNDERTOW-2312] - multibytes language in URL request to http/https are broken in EAP access log.
• [UNDERTOW-2381] - Invalid/benevolent hpack decoding of huffman-encoded string literal with EOS symbol
• [UNDERTOW-2424] - Undertow produces malformed Http/1.1 responses under heavy concurrent load
• [UNDERTOW-2425] - io.undertow.servlet.spec.ServletPrintWriter.close() high CPU when encoding characters on previously errored writer

v.2.2.35.Final

    Release Notes - Undertow - Version 2.2.35.Final

Bug

• [UNDERTOW-2256] - Resource predicate presentation differs depending on how it is set up
• [UNDERTOW-2312] - multibytes language in URL request to http/https are broken in EAP access log.
• [UNDERTOW-2381] - Invalid/benevolent hpack decoding of huffman-encoded string literal with EOS symbol
• [UNDERTOW-2424] - Undertow produces malformed Http/1.1 responses under heavy concurrent load
• [UNDERTOW-2425] - io.undertow.servlet.spec.ServletPrintWriter.close() high CPU when encoding characters on previously errored writer