Update dependency io.undertow:undertow-core to v2.3.22.Final

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
io.undertow:undertow-core (source)	2.3.18.Final → 2.3.22.Final

---

Release Notes

undertow-io/undertow (io.undertow:undertow-core)

v2.3.22.Final

Compare Source

v2.3.21.Final

Compare Source

Release 2.3.21.Final fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543
Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.3.21.Final
        

Sub-task

• [UNDERTOW-2490] - Improve the documentation of UndertowOptions.HTTP_HEADERS_CACHE_SIZE / DEFAULT_HTTP_HEADERS_CACHE_SIZE

Feature Request

• [UNDERTOW-2580] - Support SameSite and custom cookie attributes

Bug

• [UNDERTOW-1359] - HTTP2 - java.lang.IllegalStateException: UT000091: Buffer has already been freed
• [UNDERTOW-1561] - ServletContext.getResourcePaths() omits Resources that are not available directly on the file system
• [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
• [UNDERTOW-2165] - READ_TIMEOUT is not taken into account in HTTP2 listener
• [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
• [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
• [UNDERTOW-2421] - ServletSessionConfig is missing support for arbitrary cookie attributes
• [UNDERTOW-2534] - ClassLoader of deployed websockets application leaks to XnioWorker
• [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
• [UNDERTOW-2591] - SSEHandler header Connection is set to close
• [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
• [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
• [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
• [UNDERTOW-2662] - Quoted cookie versions cannot be parsed correctly
• [UNDERTOW-2668] - ServletRelativePathAttribute switch to %U from %R and return absolute path
• [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
• [UNDERTOW-2675] - Make Undertow compatible with RFC6265

Task

• [UNDERTOW-2103] - Enable open ssl building in CI
• [UNDERTOW-2653] - Add back servlets and websockets-jsr to Ci

Component Upgrade

• [UNDERTOW-2644] - Upgrade wildfly openssl to 2.2.5.Final

Enhancement

• [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
• [UNDERTOW-2638] - Process all buffers in ChunkedStreamSinkConduit.write(ByteBuffer[], int, int)
• [UNDERTOW-2643] - At ServletOutputStreamImpl.close remove the conversion of int to String

v2.3.20.Final

Compare Source

Release 2.3.20.Final fixes CVE-2025-9784
Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.20.Final
                                                        

Bug

• [UNDERTOW-2235] - Properly handle non servlet methods dispatched as error into container
• [UNDERTOW-2598] - CVE-2025-9784 MadeYouReset HTTP/2 DDoS Vulnerability
• [UNDERTOW-2604] - 2.3.19 regression w/ Java&#​39;s HTTP client
• [UNDERTOW-2608] - Undertow Servlet 2.3.19 fails SecurityManager checks

Enhancement

• [UNDERTOW-2607] - Syntax error in CONTRIBUTING.md file

v2.3.19.Final: v.2.3.19.Final

Compare Source

Release 2.3.19.Final fixes CVE-2024-4109
Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.19.Final
        

Sub-task

• [UNDERTOW-2499] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.annotated
• [UNDERTOW-2501] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.dynamicupgrade
• [UNDERTOW-2502] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.extension
• [UNDERTOW-2503] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.reconnect
• [UNDERTOW-2504] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.security
• [UNDERTOW-2505] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.suspendresume
• [UNDERTOW-2506] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.stress
• [UNDERTOW-2518] - WebSocketTimeoutTestCase can fail on CI
• [UNDERTOW-2574] - BufferLeak on AbstractFramedChannel.allocateReferenceCountedBuffer

Bug

• [UNDERTOW-2340] - RequestEncodingHandler does not update Content-Length after uncompressing
• [UNDERTOW-2361] - Deflate request body support (content-encoding in request) does not work as expected
• [UNDERTOW-2457] - Bytes may get lost across ProxyProtocolReadListener parsing invocations for v1
• [UNDERTOW-2509] - Unable to set correct HTTP response code when a file upload is too large.
• [UNDERTOW-2511] - CVE-2024-4109 undertow: information leakage via HTTP/2 request header reuse
• [UNDERTOW-2520] - Web socket codes for protocol error and wrong code are swapped
• [UNDERTOW-2532] - Websocket Session NPE
• [UNDERTOW-2538] - The Servlet ServletRelativePathAttribute has the same priority as the Core RelativePathAttribute
• [UNDERTOW-2547] - Perform gathering write in HttpRequestConduit to decrease latency
• [UNDERTOW-2555] - AJP Redirect with unescaped characters in URL is not encoded
• [UNDERTOW-2565] - HTTP2 sets exchange.queryString unencoded with allow unescaped characters in URL
• [UNDERTOW-2566] - HttpRequestParser.handleQueryParameters can set an encoded query string
• [UNDERTOW-2567] - Decoding of query strings with unescaped characters does not work in HTTP2 upgrade
• [UNDERTOW-2573] - MultiParseParserDefinition can overwrite entity size in exchange request
• [UNDERTOW-2576] - ProxyHandler can throw NullPointerException if the source address SocketAddress has no ip address
• [UNDERTOW-2597] - MultiPartParserDefinition must check for entity size larger than zero

Task

• [UNDERTOW-2548] - Update action versions in workflow
• [UNDERTOW-2568] - Resolve build warnings
• [UNDERTOW-2569] - Use of the maven.compiler.release property as the javadoc version
• [UNDERTOW-2600] - Upgrade jboss-parent pom to 50
• [UNDERTOW-2601] - Update pom to work with the new nexus deployment repository

Component Upgrade

• [UNDERTOW-2431] - Bump jboss-parent to 46 (2.3.x) /36 (2.2.x)
• [UNDERTOW-2570] - Upgrade jboss-parent pom to 49
• [UNDERTOW-2586] - Upgrade JBoss Threads to 3.7.0.Final

Enhancement

• [UNDERTOW-2371] - initialize the DefaultServer once to speed up test HttpContinueSslServletTestCase #​1574
• [UNDERTOW-2432] - Bump javadoc plugin to 3.3.0+ in maintenance branches
• [UNDERTOW-2522] - Investigate misleading build failures
• [UNDERTOW-2556] - Make sure max-post-size check for a request with a content-length is done before any response is sent from the server
• [UNDERTOW-2562] - AccessLogFileWithUnescapedCharactersTestCase does not clear UndertowOptions
• [UNDERTOW-2563] - DefaultServer used for tests should apply server options to all openListeners
• [UNDERTOW-2564] - Validate the signature of @​BeforeServerStarts and @​AfterServerStops methods
• [UNDERTOW-2571] - Fix util.Security actions as it does not take into account "default"

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.