CVE-2024-1635: Uncontrolled Resource Consumption
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
AI Analysis
Technical Summary
CVE-2024-1635 is a high-severity vulnerability affecting Undertow version 1.31.0, specifically related to its handling of the wildfly-http-client protocol. The vulnerability arises from an uncontrolled resource consumption issue triggered when a malicious actor repeatedly opens and immediately closes connections to the server's HTTP port. The root cause lies in the HTTP upgrade mechanism to remoting, where the WriteTimeoutStreamSinkConduit component leaks connections if the RemotingConnection is closed by the Remoting ServerConnectionOpenListener during the connection opening phase. Because the remoting connection is layered within Undertow's HTTP upgrade process, the outermost connection layer closure is not properly communicated to the WriteTimeoutStreamSinkConduit. This results in the conduit not being notified of the closed connection, causing it to retain a timeout task linked to the connection. This timeout task is added to the XNIO WorkerThread, which then maintains references to the conduit and all associated connections, leading to a memory and file descriptor leak. Over time, this leak exhausts both memory and open file limits on the server, potentially causing denial of service (DoS) conditions. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network, making it particularly dangerous for exposed servers. The CVSS 3.1 base score is 7.5, reflecting a high impact on availability with no impact on confidentiality or integrity. No known exploits are currently reported in the wild, but the ease of exploitation and the nature of the flaw suggest a significant risk if left unmitigated.
Potential Impact
For European organizations, the primary impact of CVE-2024-1635 is the risk of denial of service due to resource exhaustion on servers running Undertow 1.31.0 with wildfly-http-client protocol support. This can disrupt critical web services, internal applications, or middleware components relying on Undertow, leading to operational downtime and potential financial losses. Organizations in sectors with high availability requirements such as finance, healthcare, telecommunications, and government services are particularly vulnerable. The exhaustion of memory and file descriptors can also complicate incident response and recovery efforts, increasing downtime duration. Since the vulnerability does not affect confidentiality or integrity, data breaches are unlikely directly from this flaw; however, service unavailability can indirectly impact business continuity and trust. Additionally, the vulnerability can be exploited without authentication or user interaction, increasing the attack surface for external threat actors targeting exposed endpoints. European organizations with public-facing Undertow servers or internal systems accessible via HTTP ports are at heightened risk, especially if they have not yet applied patches or mitigations.
Mitigation Recommendations
Upgrade Undertow to a version later than 1.31.0 where this vulnerability is patched. Monitor vendor advisories for official patches or updates addressing CVE-2024-1635. Implement network-level protections such as rate limiting and connection throttling on HTTP ports to reduce the impact of rapid open/close connection attempts. Deploy Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to detect and block suspicious connection patterns indicative of exploitation attempts. Monitor server resource usage closely, including memory and file descriptor counts, to detect anomalous spikes that may indicate exploitation. Isolate critical Undertow servers behind VPNs or internal networks where possible to limit exposure to untrusted external actors. Review and harden HTTP upgrade and remoting protocol configurations to minimize unnecessary exposure and ensure proper connection lifecycle management. Establish automated alerting for worker thread anomalies or resource leaks within Undertow-based applications to enable rapid incident response. Conduct regular security assessments and penetration tests focusing on resource exhaustion vectors to validate the effectiveness of mitigations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland
CVE-2024-1635: Uncontrolled Resource Consumption
Description
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
AI-Powered Analysis
Technical Analysis
CVE-2024-1635 is a high-severity vulnerability affecting Undertow version 1.31.0, specifically related to its handling of the wildfly-http-client protocol. The vulnerability arises from an uncontrolled resource consumption issue triggered when a malicious actor repeatedly opens and immediately closes connections to the server's HTTP port. The root cause lies in the HTTP upgrade mechanism to remoting, where the WriteTimeoutStreamSinkConduit component leaks connections if the RemotingConnection is closed by the Remoting ServerConnectionOpenListener during the connection opening phase. Because the remoting connection is layered within Undertow's HTTP upgrade process, the outermost connection layer closure is not properly communicated to the WriteTimeoutStreamSinkConduit. This results in the conduit not being notified of the closed connection, causing it to retain a timeout task linked to the connection. This timeout task is added to the XNIO WorkerThread, which then maintains references to the conduit and all associated connections, leading to a memory and file descriptor leak. Over time, this leak exhausts both memory and open file limits on the server, potentially causing denial of service (DoS) conditions. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network, making it particularly dangerous for exposed servers. The CVSS 3.1 base score is 7.5, reflecting a high impact on availability with no impact on confidentiality or integrity. No known exploits are currently reported in the wild, but the ease of exploitation and the nature of the flaw suggest a significant risk if left unmitigated.
Potential Impact
For European organizations, the primary impact of CVE-2024-1635 is the risk of denial of service due to resource exhaustion on servers running Undertow 1.31.0 with wildfly-http-client protocol support. This can disrupt critical web services, internal applications, or middleware components relying on Undertow, leading to operational downtime and potential financial losses. Organizations in sectors with high availability requirements such as finance, healthcare, telecommunications, and government services are particularly vulnerable. The exhaustion of memory and file descriptors can also complicate incident response and recovery efforts, increasing downtime duration. Since the vulnerability does not affect confidentiality or integrity, data breaches are unlikely directly from this flaw; however, service unavailability can indirectly impact business continuity and trust. Additionally, the vulnerability can be exploited without authentication or user interaction, increasing the attack surface for external threat actors targeting exposed endpoints. European organizations with public-facing Undertow servers or internal systems accessible via HTTP ports are at heightened risk, especially if they have not yet applied patches or mitigations.
Mitigation Recommendations
Upgrade Undertow to a version later than 1.31.0 where this vulnerability is patched. Monitor vendor advisories for official patches or updates addressing CVE-2024-1635. Implement network-level protections such as rate limiting and connection throttling on HTTP ports to reduce the impact of rapid open/close connection attempts. Deploy Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to detect and block suspicious connection patterns indicative of exploitation attempts. Monitor server resource usage closely, including memory and file descriptor counts, to detect anomalous spikes that may indicate exploitation. Isolate critical Undertow servers behind VPNs or internal networks where possible to limit exposure to untrusted external actors. Review and harden HTTP upgrade and remoting protocol configurations to minimize unnecessary exposure and ensure proper connection lifecycle management. Establish automated alerting for worker thread anomalies or resource leaks within Undertow-based applications to enable rapid incident response. Conduct regular security assessments and penetration tests focusing on resource exhaustion vectors to validate the effectiveness of mitigations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- redhat
- Date Reserved
- 2024-02-19T17:25:58.418Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d983ec4522896dcbefa69
Added to database: 5/21/2025, 9:09:18 AM
Last enriched: 6/24/2025, 5:36:07 PM
Last updated: 8/1/2025, 8:28:59 AM
Views: 16
Related Threats
CVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
HighCVE-2025-8959: CWE-59: Improper Link Resolution Before File Access (Link Following) in HashiCorp Shared library
HighCVE-2025-44201
LowCVE-2025-36088: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM Storage TS4500 Library
MediumCVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.