JBoss Enterprise Application Platform (EAP) 8.0 vulnerabilities

Updated -

This articles lists all security vulnerabilities fixed in released updates for JBoss Enterprise Application Platform (EAP) 8.0.

JBoss Enterprise Application Platform 8.0 Update 12

(full notes)

ID Component Impact Summary
JBEAP-30801 Undertow Important [Minor Incident] CVE-2025-9784 undertow-core: Undertow MadeYouReset HTTP/2 DDoS Vulnerability
JBEAP-26958 Undertow Moderate CVE-2024-3884 undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
JBEAP-31388 Undertow Important CVE-2025-12543 undertow-core: Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF

JBoss Enterprise Application Platform 8.0 Update 11

(full notes)

ID Component Impact Summary
CVE-2025-4949 Server Moderate org.eclipse.jgit: XXE vulnerability in Eclipse JGit
CVE-2025-23366 Web Console Moderate org.jboss.hal/hal-console: Wildfly HAL Console Cross-Site Scripting

JBoss Enterprise Application Platform 8.0 Update 10

(full notes)
No CVE fixes

JBoss Enterprise Application Platform 8.0 Update 09.1

(full notes)

ID Component Impact Summary
CVE-2025-55163 Server Important netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability
CVE-2025-58056 Server Moderate netty-codec-http2: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions
CVE-2025-48913 Web Services Important cxf: CXF JMS Code Execution Vulnerability [eap-8.0.z]

JBoss Enterprise Application Platform 8.0 Update 09

(full notes)
No CVE fixes

JBoss Enterprise Application Platform 8.0 Update 08

(full notes)

ID Component Impact Summary
CVE-2025-2251 EJB Major wildfly-ejb3: Improper Deserialization in JBoss Marshalling Allows Remote Code Execution [details]
CVE-2025-23184 Server Major org.apache.cxf/cxf-core: Apache CXF: Denial of Service vulnerability with temporary files
CVE-2025-27611 Server Major org.jboss.hal-hal-parent: base-x homograph attack allows Unicode lookalike characters to bypass validation.
CVE-2025-48734 Server Major commons-beanutils-commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
CVE-2025-2901 Server Major org.jboss.hal-hal-parent: Stored Cross-Site Scripting (XSS) in JBoss EAP Management Console

JBoss Enterprise Application Platform 8.0 Update 07

(full notes)

ID Component Impact Summary
CVE-2024-12369 Security Moderate org.wildfly/wildfly-elytron-oidc-client-subsystem: OIDC Authorization Code Injection
CVE-2025-23367 Management Moderate org.wildfly.core/wildfly-server: Wildfly improper RBAC permission

JBoss Enterprise Application Platform 8.0 Update 06.1

(full notes)

ID Component Impact Summary
CVE-2024-8447 Server Moderate org.jboss.narayana-narayana-all: deadlock via multiple join requests sent to LRA Coordinator
CVE-2024-47535 Server Moderate io.netty/netty: Denial of Service attack on windows app using Netty
CVE-2025-24970 Server Important io.netty/netty-handler: SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
CVE-2025-25193 Server Moderate netty-common: Denial of Service attack on windows app using Netty

JBoss Enterprise Application Platform 8.0 Update 06

(full notes)

ID Component Impact Summary
CVE-2024-10234 Web Console Moderate org.wildfly.core/wildfly-core-management-subsystem: Wildfly vulnerable to Cross-Site Scripting (XSS)

JBoss Enterprise Application Platform 8.0 Update 05.1

(full notes)

ID Component Impact Summary
CVE-2024-51127 Web Services Major org.hornetq/hornetq-core-client: From CVEorg collector

JBoss Enterprise Application Platform 8.0 Update 05

(full notes)

ID Component Impact Summary
CVE-2024-8447 Server Major org.jboss.narayana-narayana-all: deadlock via multiple join requests sent to LRA Coordinator [eap-8.0.z]
CVE-2024-4109 Undertow Moderate undertow information leakage via HTTP/2 request header reuse

JBoss Enterprise Application Platform 8.0 Update 04.1

(full notes)

ID Component Impact Summary
CVE-2024-8883 Server Minor org.keycloak/keycloak-services: Vulnerable Redirect URI Validation Results in Open Redirec [eap-8.0.z]

JBoss Enterprise Application Platform 8.0 Update 04

(full notes)

ID Component Impact Summary
CVE-2024-4029 Management Low wildfly-domain-http: wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS)
CVE-2023-52428 Security Important com.nimbusds/nimbus-jose-jwt: large JWE p2c header value causes Denial of Service
CVE-2024-8698 Security Important org.keycloak/keycloak-saml-core-public: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
CVE-2022-34169 Server Important xalan: OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)
CVE-2024-41172 Web Services Moderate org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients

JBoss Enterprise Application Platform 8.0 Update 03.1

(full notes)

ID Component Impact Summary
CVE-2024-7885 Undertow Important undertow: Improper State Management in Proxy Protocol parsing causes information leakage
CVE-2024-21634 Clustering Important software.amazon.ion/ion-java: ion-java: Ion Java StackOverflow vulnerability

JBoss Enterprise Application Platform 8.0 Update 03

(full notes)

ID Component Impact Summary
CVE-2024-30172 Moderate org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class
CVE-2024-30171 Security Moderate org.bouncycastle-bcprov-jdk18on: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)
CVE-2024-29857 Server Moderate org.bouncycastle:bcprov-jdk18on: org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service
CVE-2024-28752 Web Services Important cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding
CVE-2024-29025 JMS Moderate netty-codec-http: Allocation of Resources Without Limits or Throttling

JBoss Enterprise Application Platform 8.0 Update 02.1

(full notes)

ID Component Impact Summary
CVE-2023-51775 Security Moderate jose4j: denial of service via specially crafted JWE
CVE-2024-5971 Server Important undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket
CVE-2024-3653 Undertow Low undertow: LearningPushHandler can lead to remote memory DoS attacks
CVE-2024-27316 Undertow Moderate HTTP-2: httpd: CONTINUATION frames DoS

JBoss Enterprise Application Platform 8.0 Update 02

(full notes)

ID Component Impact Summary
CVE-2024-1233 Security Moderate eap: JBoss EAP: wildfly-elytron has a SSRF security issue
CVE-2024-1102 Server Moderate jberet-core: jberet: jberet-core logging database credentials
CVE-2023-4503 Server Moderate eap-galleon: custom provisioning creates unsecured http-invoker
CVE-2023-6236 Security Moderate eap: JBoss EAP: OIDC app attempting to access the second tenant, the user should be prompted to log

JBoss Enterprise Application Platform 8.0 Update 01.1

(full notes)

ID Component Impact Summary
CVE-2023-4639 Server Moderate undertow: Cookie Smuggling/Spoofing
CVE-2024-6162 Undertow Moderate undertow: url-encoded request path information can be broken on ajp-listener
CVE-2023-1973 Undertow Important undertow: unrestricted request storage leads to memory exhaustion

JBoss Enterprise Application Platform 8.0 Update 01

(full notes)

ID Component Impact Summary
CVE-2023-4759 Management Moderate jgit: arbitrary file overwrite
CVE-2023-48795 Server Moderate apache-sshd: ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
CVE-2023-35887 Server Low sshd-common: apache-mina-sshd: information exposure in SFTP server implementations

Comments