Undertow OOM via large servlet param names
CVE-2024-4027 Published on January 30, 2026
Undertow: outofmemoryerror in httpservletrequestimpl.getparameternames() can cause remote dos attacks
A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.
Vulnerability Analysis
CVE-2024-4027 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Timeline
Reported to Red Hat.
Made public. 648 days later.
Weakness Type
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2024-4027
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
Affected Versions
Red Hat OpenShift Serverless: Red Hat build of Apache Camel 4 for Quarkus 3: Red Hat build of Apache Camel for Spring Boot 3: Red Hat build of Apache Camel for Spring Boot 4: Red Hat build of Apache Camel - HawtIO 4: Red Hat build of Apicurio Registry 2: Red Hat Build of Keycloak: Red Hat build of OptaPlanner 8: Red Hat build of Quarkus: Red Hat Data Grid 8: Red Hat Fuse 7: Red Hat Integration Camel K 1: Red Hat JBoss Data Grid 7: Red Hat JBoss Enterprise Application Platform 7: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat JBoss Fuse Service Works 6: Red Hat Process Automation 7: Red Hat Single Sign-On 7: Red Hat streams for Apache Kafka:Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.