DEBIAN-CVE-2025-12543

DEBIAN-CVE-2025-12543 PUBLISHED CVSS 9.600000381469727 CRITICAL

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

Risk Scores

CVSS 3.1

9.600000381469727

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:14	undertow	0, 1.3.11-1, 1.3.16-1

Exploit Intelligence

kavin71725/CVE-2025-12543-Fix-for-Wildfly (github-poc-repo)
kavin71725/CVE-2025-12543-Fix-for-Wildfly (github-poc)
index.html (github-poc)
Server.java (github-poc)

Timeline

Jan 7, 2026 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-12543 advisory

Open in Interactive Console →