CVE-2025-12543

CWE-20Improper Input Validation9 documents8 sources
Severity
9.6CRITICAL
EPSS
0.0%
top 85.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Redhat Build OF Apache CamelRedhat Jboss Enterprise Application PlatformRedhat Undertow+4 more
Timeline
PublishedJan 7
Latest updateApr 2

Description

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:LExploitability: 2.8 | Impact: 6.0

Affected Packages8 packages

Mavenio.undertow:undertow-core2.3.0.Alpha12.3.21.Final+1
NVDredhat/undertow2.3.02.3.21+1
NVDredhat/fuse7.0.0

🔴Vulnerability Details

4
GHSA
Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests2026-01-07
CVEList
Undertow-core: undertow http server fails to reject malformed host headers leading to potential cache poisoning and ssrf2026-01-07
OSV
Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests2026-01-07
OSV
CVE-2025-12543: A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications2026-01-07

📋Vendor Advisories

3
Ubuntu
Undertow vulnerability2026-04-02
Red Hat
undertow-core: Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF2026-01-08
Debian
CVE-2025-12543: undertow - A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBo...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-12543 Impact, Exploitability, and Mitigation Steps | Wiz