JBoss Enterprise Application Platform (EAP) 8.1 vulnerabilities

Updated -

This articles lists all security vulnerabilities fixed in released updates for JBoss Enterprise Application Platform (EAP) 8.1.

JBoss Enterprise Application Platform 8.1 Update 5

(full notes)
No CVE fixes

JBoss Enterprise Application Platform 8.1 Update 4.1

(full notes)
No CVE fixes

JBoss Enterprise Application Platform 8.1 Update 4

(full notes)
No CVE fixes

JBoss Enterprise Application Platform 8.1 Update 3

(full notes)

ID Component Impact Summary
CVE-2024-3884 Undertow Moderate undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
CVE-2025-9784 Undertow Important undertow-core: Undertow MadeYouReset HTTP/2 DDoS Vulnerability
CVE-2025-12543 Undertow Important undertow-core: Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF

JBoss Enterprise Application Platform 8.1 Update 2

(full notes)

ID Component Impact Summary
CVE-2025-4949 Server Moderate org.eclipse.jgit: XXE vulnerability in Eclipse JGit

JBoss Enterprise Application Platform 8.1 Update 1

(full notes)
No CVE fixes

JBoss Enterprise Application Platform 8.1 Update 0.1

(full notes)

ID Component Impact Summary
CVE-2025-55163 Server Important netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability
CVE-2025-58056 Server Moderate netty-codec-http2: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions
CVE-2025-48913 Server Important cxf: CXF JMS Code Execution Vulnerability [eap-8.0.z]

Additional fixes from preceding EAP 8.0 updates

JBoss Enterprise Application Platform 8.0 Update 08

(full notes)

ID Component Impact Summary
CVE-2025-2251 EJB Major wildfly-ejb3: Improper Deserialization in JBoss Marshalling Allows Remote Code Execution [details]
CVE-2025-23184 Server Major org.apache.cxf/cxf-core: Apache CXF: Denial of Service vulnerability with temporary files
CVE-2025-27611 Server Major org.jboss.hal-hal-parent: base-x homograph attack allows Unicode lookalike characters to bypass validation.
CVE-2025-48734 Server Major commons-beanutils-commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
CVE-2025-2901 Server Major org.jboss.hal-hal-parent: Stored Cross-Site Scripting (XSS) in JBoss EAP Management Console

JBoss Enterprise Application Platform 8.0 Update 07

(full notes)

ID Component Impact Summary
CVE-2024-12369 Security Moderate org.wildfly/wildfly-elytron-oidc-client-subsystem: OIDC Authorization Code Injection
CVE-2025-23367 Management Moderate org.wildfly.core/wildfly-server: Wildfly improper RBAC permission

JBoss Enterprise Application Platform 8.0 Update 06.1

(full notes)

ID Component Impact Summary
CVE-2024-8447 Server Moderate org.jboss.narayana-narayana-all: deadlock via multiple join requests sent to LRA Coordinator
CVE-2024-47535 Server Moderate io.netty/netty: Denial of Service attack on windows app using Netty
CVE-2025-24970 Server Important io.netty/netty-handler: SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
CVE-2025-25193 Server Moderate netty-common: Denial of Service attack on windows app using Netty

JBoss Enterprise Application Platform 8.0 Update 06

(full notes)

ID Component Impact Summary
CVE-2024-10234 Web Console Moderate org.wildfly.core/wildfly-core-management-subsystem: Wildfly vulnerable to Cross-Site Scripting (XSS)

JBoss Enterprise Application Platform 8.0 Update 05.1

(full notes)

ID Component Impact Summary
CVE-2024-51127 Web Services Major org.hornetq/hornetq-core-client: From CVEorg collector

JBoss Enterprise Application Platform 8.0 Update 05

(full notes)

ID Component Impact Summary
CVE-2024-8447 Server Major org.jboss.narayana-narayana-all: deadlock via multiple join requests sent to LRA Coordinator [eap-8.0.z]
CVE-2024-4109 Undertow Moderate undertow information leakage via HTTP/2 request header reuse

JBoss Enterprise Application Platform 8.0 Update 04.1

(full notes)

ID Component Impact Summary
CVE-2024-8883 Server Minor org.keycloak/keycloak-services: Vulnerable Redirect URI Validation Results in Open Redirec [eap-8.0.z]

JBoss Enterprise Application Platform 8.0 Update 04

(full notes)

ID Component Impact Summary
CVE-2024-4029 Management Low wildfly-domain-http: wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS)
CVE-2023-52428 Security Important com.nimbusds/nimbus-jose-jwt: large JWE p2c header value causes Denial of Service
CVE-2024-8698 Security Important org.keycloak/keycloak-saml-core-public: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
CVE-2022-34169 Server Important xalan: OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)
CVE-2024-41172 Web Services Moderate org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients

JBoss Enterprise Application Platform 8.0 Update 03.1

(full notes)

ID Component Impact Summary
CVE-2024-7885 Undertow Important undertow: Improper State Management in Proxy Protocol parsing causes information leakage
CVE-2024-21634 Clustering Important software.amazon.ion/ion-java: ion-java: Ion Java StackOverflow vulnerability

JBoss Enterprise Application Platform 8.0 Update 03

(full notes)

ID Component Impact Summary
CVE-2024-30172 Moderate org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class
CVE-2024-30171 Security Moderate org.bouncycastle-bcprov-jdk18on: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)
CVE-2024-29857 Server Moderate org.bouncycastle:bcprov-jdk18on: org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service
CVE-2024-28752 Web Services Important cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding
CVE-2024-29025 JMS Moderate netty-codec-http: Allocation of Resources Without Limits or Throttling

JBoss Enterprise Application Platform 8.0 Update 02.1

(full notes)

ID Component Impact Summary
CVE-2023-51775 Security Moderate jose4j: denial of service via specially crafted JWE
CVE-2024-5971 Server Important undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket
CVE-2024-3653 Undertow Low undertow: LearningPushHandler can lead to remote memory DoS attacks
CVE-2024-27316 Undertow Moderate HTTP-2: httpd: CONTINUATION frames DoS

JBoss Enterprise Application Platform 8.0 Update 02

(full notes)

ID Component Impact Summary
CVE-2024-1233 Security Moderate eap: JBoss EAP: wildfly-elytron has a SSRF security issue
CVE-2024-1102 Server Moderate jberet-core: jberet: jberet-core logging database credentials
CVE-2023-4503 Server Moderate eap-galleon: custom provisioning creates unsecured http-invoker
CVE-2023-6236 Security Moderate eap: JBoss EAP: OIDC app attempting to access the second tenant, the user should be prompted to log

JBoss Enterprise Application Platform 8.0 Update 01.1

(full notes)

ID Component Impact Summary
CVE-2023-4639 Server Moderate undertow: Cookie Smuggling/Spoofing
CVE-2024-6162 Undertow Moderate undertow: url-encoded request path information can be broken on ajp-listener
CVE-2023-1973 Undertow Important undertow: unrestricted request storage leads to memory exhaustion

JBoss Enterprise Application Platform 8.0 Update 01

(full notes)

ID Component Impact Summary
CVE-2023-4759 Management Moderate jgit: arbitrary file overwrite
CVE-2023-48795 Server Moderate apache-sshd: ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
CVE-2023-35887 Server Low sshd-common: apache-mina-sshd: information exposure in SFTP server implementations

Comments