Update dependency io.undertow:undertow-core to v2.4.1.Final

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
io.undertow:undertow-core (source)	2.3.18.Final → 2.4.1.Final

---

Release Notes

undertow-io/undertow (io.undertow:undertow-core)

v2.4.1.Final: v.2.4.1.Final

Compare Source

Release 2.4.1.Final
Full list of Jiras: view in Jira

Release notes - Undertow - 2.4.1.Final

Bug

UNDERTOW-2763 As per RFC9112 reason-phrase is optional in HTTP 1.1 responses

Enhancement

UNDERTOW-2759 Enable testing in JDK25

UNDERTOW-2767 [2.4.x] UndertowMessages at core uses the wrong message id for fixes in new parser

v2.4.0.Final: v.2.4.0.Final

Compare Source

Release 2.4.0.Final Fixes CVE-2026-28367 CVE-2026-28368 CVE-2026-28369
Full list of Jiras: view in Jira

Release notes - Undertow - 2.4.0.Final

Feature Request

UNDERTOW-1593 Track processing time of in flight requests

UNDERTOW-1748 provide a way to "comment" a line in predicate language

UNDERTOW-1870 Hard-coded timeout for asynchronous HTTP requests - add async context timeout undertow option

UNDERTOW-1880 Undertow should support HTTP/2 connection management, wrt GOAWAY frame

UNDERTOW-1881 Add a new exchange attribute for SSL/TLS protocol version

UNDERTOW-2010 Provide method to invalidate all paths in CachingResourceManager

UNDERTOW-2242 Add UndertowOptions.ALLOW_ID_LESS_MATRIX_PARAMETERS

UNDERTOW-2273 Exchange Attribute parser doesn't handle nested attributes

UNDERTOW-2301 HTTP/2 cannot be configured on a per-listener basis

UNDERTOW-2319 Move io.undertow.multipart.minsize property to UndertowOptions

UNDERTOW-2553 Add rewriteHostHeader to ModCluster

UNDERTOW-2580 Support SameSite and custom cookie attributes

UNDERTOW-2696 Allow PathHandler to check for registered prefixes

UNDERTOW-2706 Add UndertowOptions_WEB_SOCKETS_READ_TIMEOUT

Component Upgrade

UNDERTOW-2584 Upgrade JBoss Threads to 3.9.1

UNDERTOW-2644 Upgrade wildfly openssl to 2.2.5.Final

Enhancement

UNDERTOW-1901 Add multipart support methods to ManagedServlet and HttpServerExchange signatures

UNDERTOW-1904 HttpSessionImpl use exception driven control

UNDERTOW-2110 Allow line breaks in predicates

UNDERTOW-2231 Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown

UNDERTOW-2249 HttpClientConnection.sendRequest on a closed connection should result in a ClosedChannelException

UNDERTOW-2254 Include the HttpServerExchange in the HostSelector

UNDERTOW-2288 Ignore line breaks inside of predicate and handlers for better readability

UNDERTOW-2325 secure-cookie() handler doesn't pick up directly-added set-cookie headers

UNDERTOW-2335 Add an example of the PredicatesHandler and specifically the predicate handler parser

UNDERTOW-2404 Directory listing has no sort

UNDERTOW-2634 Add mime mappings for mp4, webm, flac, weba, csv and webp

UNDERTOW-2645 Remove uses of javax.security.cert

UNDERTOW-2660 Add RoutingHandler usage example

UNDERTOW-2714 Refactor Session.getSessionManager() -> SessionReference

UNDERTOW-2717 DirectyByteBufferDeallocator should avoid using ThreadLocal

UNDERTOW-2738 Move UndertowOptions to Cookies and clean up method signatures

Bug

UNDERTOW-1794 DefaultAccessLogReceiver violates Closeable contract

UNDERTOW-1874 ProxyForwardedTestCase and ProxyXForwardedTestCase should check results with DefaultServer.getDefaultServerAddress() instead of Socket.getLocalAddress()

UNDERTOW-2157 UndertowOutputStream.transferFrom appears to have a broken signature

UNDERTOW-2194 Cookie parsing/assembling does not work 100% correctly.

UNDERTOW-2269 Encode Query string on forward/include and properly handle merging

UNDERTOW-2358 QueryParameterAttribute doesn't update query string in exchange

UNDERTOW-2359 rewrite() handler does not keep query parameters and query string in sync correctly

UNDERTOW-2590 Support "rspauth" in Digest auth header

UNDERTOW-2594 CVE-2026-28368 Undertow splits header names from values on spaces

UNDERTOW-2595 CVE-2026-28369 Request Smuggling via Malformed HTTP Request Headers

UNDERTOW-2596 CVE-2026-28367 Request smuggling via `\r\r\r` as a header block terminator

UNDERTOW-2603 Quoted values and comma separator cookie parsing is broken

UNDERTOW-2616 request.getParts should throw unwrapped IOException

UNDERTOW-2662 Quoted cookie versions cannot be parsed correctly

UNDERTOW-2675 Make Undertow compatible with RFC6265

UNDERTOW-2686 HttpSession.Accessor can throw ISE if session identifier has since changed

UNDERTOW-2695 Inconsistent processing of different predicates

UNDERTOW-2700 Undertow worker threads stuck on ServletOutputStreamImpl.writeBlocking()

UNDERTOW-2712 The deprecated getRequestCookies() and getResponseCookies() need to return a valid map

Task

UNDERTOW-2103 Enable open ssl building in CI

UNDERTOW-2523 Implement Jakarta Servlet 6.1

UNDERTOW-2646 Move servlet and websockets to Undertow EE

UNDERTOW-2650 Update CI and spotbugs-exclude to exclude ee files

UNDERTOW-2671 Update code headers

UNDERTOW-2684 Add SessionManager.isDistributed()

Library Upgrade

UNDERTOW-2651 Upgrade spot bugs to the latest

UNDERTOW-2725 Upgrade JBoss Threads to 3.9.2

UNDERTOW-2726 Upgrade JBoss Logging to 3.6.2.Final

UNDERTOW-2727 Upgrade Netty to 4.2.10.Final

UNDERTOW-2728 Upgrade Apache Felix Bundle plugin to 6.0.2

UNDERTOW-2730 Upgrade JBoss Class File Writer to 1.3.0.Final

UNDERTOW-2731 Upgrade JBoss Logging Processor to 3.0.0.Final

UNDERTOW-2732 Upgrade JBoss Log Manager to 3.1.2.Final

UNDERTOW-2733 Upgrade WildFly Common to 2.0.1

UNDERTOW-2735 Upgrade Apache HttpComponents to 4.5.14

Sub-task

UNDERTOW-2462 Create a default constant for UndertowOptions.ALLOW_ENCODED_HASH

UNDERTOW-2464 Create a default constant for UndertowOptions.DECODE_URL

UNDERTOW-2465 Fix UndertowOptions.URL_CHARSET Javadoc

UNDERTOW-2466 Create a default constant for UndertowOptions.ALWAYS_SET_KEEP_ALIVE

UNDERTOW-2467 Create a default constant for UndertowOptions.ALWAYS_SET_DATE

UNDERTOW-2473 Create a default constant for UndertowOptions.ENABLE_HTTP2

UNDERTOW-2474 Create a default constant for UndertowOptions.ENABLE_STATISTICS

UNDERTOW-2475 Mark UndertowOptions.ENABLE_CONNECTOR_STATISTICS for removal

UNDERTOW-2476 Create a default constant for UndertowOptions.ALLOW_UNKNOWN_PROTOCOLS

UNDERTOW-2481 Create a default constant for UndertowOptions.HTTP2_SETTINGS_INITIAL_WINDOW_SIZE

UNDERTOW-2483 Mark UndertowOptions.HTTP2_SETTINGS_MAX_HEADER_LIST_SIZE for removal

UNDERTOW-2484 Create a default constant for UndertowOptions.HTTP2_PADDING_SIZE

UNDERTOW-2485 Create a default constant for UndertowOptions.MAX_QUEUED_READ_BUFFERS

UNDERTOW-2491 Create a default constant for UndertowOptions.SSL_USER_CIPHER_SUITES_ORDER

UNDERTOW-2492 Create a default constant for UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL

UNDERTOW-2494 Create a default constant for UndertowOptions.QUEUED_FRAMES_HIGH_WATER_MARK

UNDERTOW-2495 Create a default constant for UndertowOptions.QUEUED_FRAMES_LOW_WATER_MARK

UNDERTOW-2635 BufferLeak errors in AbstractFramedChannel.receive()

Clarification

UNDERTOW-2690 Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior

v2.3.24.Final

Compare Source

v2.3.23.Final: v.2.3.23.Final

Compare Source

Release 2.3.23.Final
Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.3.23.Final
                                                            

Bug

• [UNDERTOW-2192] - session.getServletContext returns wrong context with shared-session-config
• [UNDERTOW-2663] - Unclear Error Message When Max Session Limit is Exceeded
• [UNDERTOW-2677] - MultipartParserDefinition overrides max entity size already set and configured from other sources

Task

• [UNDERTOW-2694] - Remove build.metadata file added by mistake

Clarification

• [UNDERTOW-2690] - Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior

v2.3.22.Final: v.2.3.22.Final

Compare Source

Release 2.3.22.Final
Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.3.22.Final
                                                            

Bug

• [UNDERTOW-2676] - Do not set merged query parameters for includes and forwards on the exchange, only the request
• [UNDERTOW-2681] - TCCL when invoking annotated websocket endpoint methods doesn&#​39;t expose deployment classes

v2.3.21.Final

Compare Source

Release 2.3.21.Final fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543
Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.3.21.Final
        

Sub-task

• [UNDERTOW-2490] - Improve the documentation of UndertowOptions.HTTP_HEADERS_CACHE_SIZE / DEFAULT_HTTP_HEADERS_CACHE_SIZE

Feature Request

• [UNDERTOW-2580] - Support SameSite and custom cookie attributes

Bug

• [UNDERTOW-1359] - HTTP2 - java.lang.IllegalStateException: UT000091: Buffer has already been freed
• [UNDERTOW-1561] - ServletContext.getResourcePaths() omits Resources that are not available directly on the file system
• [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
• [UNDERTOW-2165] - READ_TIMEOUT is not taken into account in HTTP2 listener
• [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
• [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
• [UNDERTOW-2421] - ServletSessionConfig is missing support for arbitrary cookie attributes
• [UNDERTOW-2534] - ClassLoader of deployed websockets application leaks to XnioWorker
• [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
• [UNDERTOW-2591] - SSEHandler header Connection is set to close
• [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
• [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
• [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
• [UNDERTOW-2662] - Quoted cookie versions cannot be parsed correctly
• [UNDERTOW-2668] - ServletRelativePathAttribute switch to %U from %R and return absolute path
• [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
• [UNDERTOW-2675] - Make Undertow compatible with RFC6265

Task

• [UNDERTOW-2103] - Enable open ssl building in CI
• [UNDERTOW-2653] - Add back servlets and websockets-jsr to Ci

Component Upgrade

• [UNDERTOW-2644] - Upgrade wildfly openssl to 2.2.5.Final

Enhancement

• [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
• [UNDERTOW-2638] - Process all buffers in ChunkedStreamSinkConduit.write(ByteBuffer[], int, int)
• [UNDERTOW-2643] - At ServletOutputStreamImpl.close remove the conversion of int to String

v2.3.20.Final

Compare Source

Release 2.3.20.Final fixes CVE-2025-9784
Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.20.Final
                                                        

Bug

• [UNDERTOW-2235] - Properly handle non servlet methods dispatched as error into container
• [UNDERTOW-2598] - CVE-2025-9784 MadeYouReset HTTP/2 DDoS Vulnerability
• [UNDERTOW-2604] - 2.3.19 regression w/ Java&#​39;s HTTP client
• [UNDERTOW-2608] - Undertow Servlet 2.3.19 fails SecurityManager checks

Enhancement

• [UNDERTOW-2607] - Syntax error in CONTRIBUTING.md file

v2.3.19.Final: v.2.3.19.Final

Compare Source

Release 2.3.19.Final fixes CVE-2024-4109
Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.19.Final
        

Sub-task

• [UNDERTOW-2499] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.annotated
• [UNDERTOW-2501] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.dynamicupgrade
• [UNDERTOW-2502] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.extension
• [UNDERTOW-2503] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.reconnect
• [UNDERTOW-2504] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.security
• [UNDERTOW-2505] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.suspendresume
• [UNDERTOW-2506] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.stress
• [UNDERTOW-2518] - WebSocketTimeoutTestCase can fail on CI
• [UNDERTOW-2574] - BufferLeak on AbstractFramedChannel.allocateReferenceCountedBuffer

Bug

• [UNDERTOW-2340] - RequestEncodingHandler does not update Content-Length after uncompressing
• [UNDERTOW-2361] - Deflate request body support (content-encoding in request) does not work as expected
• [UNDERTOW-2457] - Bytes may get lost across ProxyProtocolReadListener parsing invocations for v1
• [UNDERTOW-2509] - Unable to set correct HTTP response code when a file upload is too large.
• [UNDERTOW-2511] - CVE-2024-4109 undertow: information leakage via HTTP/2 request header reuse
• [UNDERTOW-2520] - Web socket codes for protocol error and wrong code are swapped
• [UNDERTOW-2532] - Websocket Session NPE
• [UNDERTOW-2538] - The Servlet ServletRelativePathAttribute has the same priority as the Core RelativePathAttribute
• [UNDERTOW-2547] - Perform gathering write in HttpRequestConduit to decrease latency
• [UNDERTOW-2555] - AJP Redirect with unescaped characters in URL is not encoded
• [UNDERTOW-2565] - HTTP2 sets exchange.queryString unencoded with allow unescaped characters in URL
• [UNDERTOW-2566] - HttpRequestParser.handleQueryParameters can set an encoded query string
• [UNDERTOW-2567] - Decoding of query strings with unescaped characters does not work in HTTP2 upgrade
• [UNDERTOW-2573] - MultiParseParserDefinition can overwrite entity size in exchange request
• [UNDERTOW-2576] - ProxyHandler can throw NullPointerException if the source address SocketAddress has no ip address
• [UNDERTOW-2597] - MultiPartParserDefinition must check for entity size larger than zero

Task

• [UNDERTOW-2548] - Update action versions in workflow
• [UNDERTOW-2568] - Resolve build warnings
• [UNDERTOW-2569] - Use of the maven.compiler.release property as the javadoc version
• [UNDERTOW-2600] - Upgrade jboss-parent pom to 50
• [UNDERTOW-2601] - Update pom to work with the new nexus deployment repository

Component Upgrade

• [UNDERTOW-2431] - Bump jboss-parent to 46 (2.3.x) /36 (2.2.x)
• [UNDERTOW-2570] - Upgrade jboss-parent pom to 49
• [UNDERTOW-2586] - Upgrade JBoss Threads to 3.7.0.Final

Enhancement

• [UNDERTOW-2371] - initialize the DefaultServer once to speed up test HttpContinueSslServletTestCase #​1574
• [UNDERTOW-2432] - Bump javadoc plugin to 3.3.0+ in maintenance branches
• [UNDERTOW-2522] - Investigate misleading build failures
• [UNDERTOW-2556] - Make sure max-post-size check for a request with a content-length is done before any response is sent from the server
• [UNDERTOW-2562] - AccessLogFileWithUnescapedCharactersTestCase does not clear UndertowOptions
• [UNDERTOW-2563] - DefaultServer used for tests should apply server options to all openListeners
• [UNDERTOW-2564] - Validate the signature of @​BeforeServerStarts and @​AfterServerStops methods
• [UNDERTOW-2571] - Fix util.Security actions as it does not take into account "default"

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.