CVE-2024-53299: 
Java vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-53299) was discovered in Apache Wicket's core request handling component. The vulnerability affects multiple versions of Apache Wicket, including versions 7.0.0 through 7.18., 8.0.0-M1 through 8.16., 9.0.0-M1 through 9.18., and 10.0.0-M1 through 10.2.. The issue was disclosed on January 22, 2025, and was identified by security researcher Pedro Santos (OSS Security).

The vulnerability exists in the core request handling mechanism of Apache Wicket 7.0.0 and allows attackers to create a Denial of Service (DoS) condition through multiple requests to server resources. The issue has been assigned CWE-400 (Uncontrolled Resource Consumption) and received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a Denial of Service condition through memory leaks, potentially affecting the availability of systems running vulnerable versions of Apache Wicket. The attack can be triggered by sending multiple requests to server resources, potentially impacting service availability (OSS Security).

Users are strongly recommended to upgrade to Apache Wicket versions 9.19.0 or 10.3.0, which contain fixes for this vulnerability. These versions have been specifically released to address the memory leak issue (OSS Security).