Undertow Request Smuggling Vulnerability Due to Inconsistent Header Parsing

Vulnerability

A request smuggling vulnerability has been identified in Undertow. This issue arises from a flaw in how Undertow parses header names in comparison to upstream proxies. The discrepancy allows remote attackers to craft requests that exploit this inconsistency, potentially bypassing security controls and accessing unauthorized resources. When deployed behind an upstream proxy, Undertow's header interpretation can be manipulated to smuggle requests, leading to unauthorized access or cache poisoning.

Impact

Exploitation of this vulnerability can cause request smuggling, allowing attackers to bypass security controls and access unauthorized resources. This could also lead to web cache poisoning, where cached content is manipulated to serve malicious data.

Added: Mar 27, 2026, 5:38 PM

Updated: Mar 27, 2026, 5:38 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

5.0

exploitability

7.3

remediation

0.0

relevance

4.8

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

5.0

exploitability

7.3

remediation

0.0

relevance

4.8

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Undertow Request Smuggling Vulnerability Due to Inconsistent Header Parsing

Vulnerability

Impact

Affected Products

Red Hat Undertow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating