Undertow OOM DoS via Large application/x-www-form-urlencoded
CVE-2024-3884 Published on December 3, 2025

Undertow: outofmemory when parsing form data encoding with application/x-www-form-urlencoded
A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2024-3884 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

NONE

Availability Impact:

HIGH

Timeline

2024-04-16

Reported to Red Hat.

2025-12-03

Made public. 596 days later.

Weakness Type

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Products Associated with CVE-2024-3884

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Serverless

Red Hat Camel Quarkus

Red Hat Camel Spring Boot

Red Hat Apache Camel Hawtio

Red Hat Service Registry

Red Hat Build Keycloak

Red Hat Optaplanner

Red Hat Quarkus

Red Hat Jboss Data Grid

Red Hat Jboss Fuse

Red Hat Integration

Red Hat Jboss Enterprise Application Platform

Red Hat Jbosseapxp

Red Hat Jboss Fuse Service Works

Red Hat Jboss Enterprise Bpms Platform

Red Hat Single Sign On

Red Hat Amq Streams

Red Hat Undertow

Affected Versions

Red Hat JBoss Enterprise Application Platform 8.0: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8:

Version 0:1.83.0-1.redhat_00001.1.el8eap and below * is unaffected.

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8:

Version 0:33.0.0-2.jre_redhat_00003.1.el8eap and below * is unaffected.

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8:

Version 0:4.0.6-1.redhat_00001.1.el8eap and below * is unaffected.

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8:

Version 0:1.0.0-3.redhat_00009.1.el8eap and below * is unaffected.

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8:

Version 0:2.0.2-1.Final_redhat_00001.1.el8eap and below * is unaffected.

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8:

Version 0:2.3.23-1.SP3_redhat_00001.1.el8eap and below * is unaffected.