Red Hat Apache Camel Hawtio
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Apache Camel Hawtio.
By the Year
In 2026 there have been 2 vulnerabilities in Red Hat Apache Camel Hawtio with an average score of 8.6 out of ten. Last year, in 2025 Apache Camel Hawtio had 3 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Apache Camel Hawtio in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.75.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 8.55 |
| 2025 | 3 | 6.80 |
| 2024 | 7 | 7.10 |
It may take a day or so for new Apache Camel Hawtio vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Apache Camel Hawtio Security Vulnerabilities
Undertow OOM via large servlet param names
CVE-2024-4027
7.5 - High
- January 30, 2026
A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.
Improper Input Validation
Undertow Host Header Validation Flaw Enables Cache Poisoning
CVE-2025-12543
9.6 - Critical
- January 07, 2026
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
Improper Input Validation
Undertow OOM DoS via Large application/x-www-form-urlencoded
CVE-2024-3884
7.5 - High
- December 03, 2025
A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.
Improper Input Validation
Undertow DoS via MadeYouReset Server-Reset Abuse
CVE-2025-9784
7.5 - High
- September 02, 2025
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
Allocation of Resources Without Limits or Throttling
serialize-javascript XSS via unsanitized regex input
CVE-2024-11831
5.4 - Medium
- February 10, 2025
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
XSS
Quarkus-HTTP Cookie Parsing Vulnerability
CVE-2024-12397
7.4 - High
- December 12, 2024
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
HTTP Request Smuggling
Undertow ProxyProtocolReadListener StringBuilder reuse info-leak
CVE-2024-7885
7.5 - High
- August 21, 2024
A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.
Race Condition
Undertow MaxAge Default -1 Exposes HTTP Learning-Push handler
CVE-2024-3653
5.3 - Medium
- July 08, 2024
A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.
Memory Leak
Undertow Chunked DoS: Missing 0\r\n Termination in Java 17 TLSv1.3
CVE-2024-5971
7.5 - High
- July 08, 2024
A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.
Stack Exhaustion
Undertow AJP Path Decoding Race Cond. DOS
CVE-2024-6162
7.5 - High
- June 20, 2024
A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.
Resource Exhaustion
Quarkus Core Env Var Leakage in Build
CVE-2024-2700
7 - High
- April 04, 2024
A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.
Exposure of Sensitive Information Through Environmental Variables
Xnio NotifierState Chain Overflow Uncontrolled Resource DoS
CVE-2023-5685
7.5 - High
- March 22, 2024
A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).
Resource Exhaustion
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Apache Camel Hawtio or by Red Hat? Click the Watch button to subscribe.
