2275287 – (CVE-2024-3884) CVE-2024-3884 undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded

Bug 2275287 (CVE-2024-3884) - CVE-2024-3884 undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded

Summary: CVE-2024-3884 undertow: OutOfMemory when parsing form data encoding with appl...

Keywords:
Status:	NEW
Alias:	CVE-2024-3884
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2264122
TreeView+	depends on / blocked

Reported:	2024-04-16 13:39 UTC by Patrick Del Bello
Modified:	2025-12-04 15:57 UTC (History)
CC List:	98 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:22773	None	None	None	2025-12-04 15:56:32 UTC
Red Hat Product Errata	RHSA-2025:22775	None	None	None	2025-12-04 15:56:55 UTC
Red Hat Product Errata	RHSA-2025:22777	None	None	None	2025-12-04 15:57:27 UTC

Description Patrick Del Bello 2024-04-16 13:39:18 UTC

There exists a security vulnerability in Undertow that can cause remote DoS attacks. When server uses method 
 FormEncodedDataDefinition.doParse(StreamSourceChannel) to parse large form data encoding with application/x-www-form-urlencoded, the method will cause OutOfMemory. This vulnerability can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. 


This happens because there is no size limit for this method hence a large request may jeopardize the environment leading to DoS.

Comment 25 errata-xmlrpc 2025-12-04 15:56:25 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2025:22773 https://access.redhat.com/errata/RHSA-2025:22773

Comment 26 errata-xmlrpc 2025-12-04 15:56:49 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2025:22775 https://access.redhat.com/errata/RHSA-2025:22775

Comment 27 errata-xmlrpc 2025-12-04 15:57:20 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0

Via RHSA-2025:22777 https://access.redhat.com/errata/RHSA-2025:22777

Note You need to log in before you can comment on or make changes to this bug.

abrianik
adupliak
anstephe
aschwart
asoldano
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
cdewolf
chazlett
chfoley
clement.escoffier
cmiranda
dandread
darran.lofthouse
dhanak
dkreling
dosoudil
drichtar
drosa
dsimansk
eric.wittmann
fjansen
fjuma
fmariani
fmongiar
ggrzybek
gmalinko
gsmet
ibek
istudens
ivassile
iweiss
janstey
jkoops
jmartisk
jnethert
jpoth
jrokos
jscholz
kingland
kverlaen
lgao
lthon
manderse
matzew
max.andersen
mnovotny
mosmerov
mposolda
msochure
mstefank
msvehla
mulliken
nipatil
nwallace
olubyans
pantinor
parichar
pbizzarr
pcongius
pdelbell
pdrozd
peholase
pesilva
pgallagh
pierdipi
pjindal
pmackay
probinso
pskopek
rguimara
rhuss
rkubis
rmartinc
rowaters
rruss
rstancel
rstepani
rsvoboda
saroy
sausingh
sbiarozk
sdouglas
security-response-team
smaestri
ssilvert
sthorger
swoodman
tasato
tcunning
tom.jenkinson
tqvarnst
vmuzikar
yfang