VDB
CVE-2025-12543
CVE-2025-12543
PUBLISHED
CVSS 9.600000381469727 CRITICAL
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
EPSS 0.05% · 16.0th percentile
Risk Scores
CVSS v3.1
9.600000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
EPSS Score
0.05%
16.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| redhat | undertow | 0, 2.3.0, 2.3.0 |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:33.0.0-2.jre_redhat_00003.1.el8eap |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 9 | 0:2.2.39-1.Final_redhat_00001.1.el9eap |
| Red Hat | Red Hat Fuse 7 | |
| redhat | process_automation | 7.0, 7.0 |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:6.6.36-1.Final_redhat_00001.1.el9eap |
| Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | |
| Red Hat | Red Hat build of Apache Camel - HawtIO 4 | |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:2.3.20-2.SP4_redhat_00001.1.el8eap |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:8.1.1-4.GA_redhat_00007.1.el8eap |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:33.0.0-2.jre_redhat_00003.1.el9eap |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:2.6.6-1.Final_redhat_00001.1.el8eap |
| Red Hat | Red Hat Process Automation 7 | |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | * |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:2.3.23-1.SP3_redhat_00001.1.el9eap |
| Red Hat | Red Hat Data Grid 8 | |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:5.0.12-1.Final_redhat_00001.1.el8eap |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | * |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:1.0.1-3.redhat_00003.1.el8eap |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:1.0.0-3.redhat_00009.1.el9eap |
…and 45 more
Timeline
- Jan 7, 2026 CVE Published
- Jan 7, 2026 PoC Published
- Jan 7, 2026 PoC Published
- Jan 7, 2026 PoC Published
- Jan 8, 2026 EPSS Score
- Jan 9, 2026 PoC Published
- Jan 9, 2026 PoC Published
- Jan 9, 2026 PoC Published
- Jan 10, 2026 PoC Published
- Jan 11, 2026 EPSS Score
- Jan 13, 2026 PoC Published
- Jan 13, 2026 PoC Published
References
- RHSA-2026:0383 vendor-advisory
- RHSA-2026:0384 vendor-advisory
- RHSA-2026:0386 vendor-advisory
- RHSA-2026:3889 vendor-advisory
- RHSA-2026:3890 vendor-advisory
- RHSA-2026:3891 vendor-advisory
- RHSA-2026:3892 vendor-advisory
- RHSA-2026:4915 vendor-advisory
- RHSA-2026:4916 vendor-advisory
- RHSA-2026:4917 vendor-advisory
- RHSA-2026:4924 vendor-advisory
- https://access.redhat.com/security/cve/CVE-2025-12543 vdb
- RHBZ#2408784 issue
- https://nvd.nist.gov/vuln/detail/CVE-2025-12543 advisory
- https://github.com/undertow-io/undertow/pull/1860 url
- https://github.com/undertow-io/undertow/pull/1857 url
- https://issues.redhat.com/browse/UNDERTOW-2656 url
- https://github.com/undertow-io/undertow/releases/tag/2.3.21.Final url
- https://github.com/undertow-io/undertow/releases/tag/2.2.39.Final url
- https://github.com/undertow-io/undertow package