Undertow-core: undertow http server fails to reject malformed host headers leading to potential cache poisoning and ssrf
Summary
| CVE | CVE-2025-12543 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-01-07 17:15:55 UTC |
| Updated | 2026-06-30 05:17:10 UTC |
| Description | A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions. |
Risk And Classification
Primary CVSS: v3.1 9.6 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Problem Types: CWE-20 | CWE-20 Improper Input Validation
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | ADP | CVSS | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L |
| 3.1 | [email protected] | Secondary | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L |
| 3.1 | CNA | CVSS | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Redhat | Build Of Apache Camel | All | All | All | All |
| Application | Redhat | Data Grid | 8.0 | All | All | All |
| Application | Redhat | Fuse | 7.0.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:3889 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:4917 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:4915 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3892 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:3890 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | Issue Tracking, Vendor Advisory |
| access.redhat.com/security/cve/CVE-2025-12543 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:0384 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:0386 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:33371 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:0383 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-12543.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3891 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:33372 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:4916 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:4924 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Red Hat would like to thank Ahmet Artuç for reporting this issue. (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2025-10-31T06:15:35.424Z | Reported to Red Hat. |
| CNA | 2026-01-08T00:00:00.000Z | Made public. |
| ADP | 2025-10-31T06:15:35.424Z | Reported to Red Hat. |
| ADP | 2026-01-08T00:00:00.000Z | Made public. |
Solutions
ADP: RHSA-2026:33372: Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server
ADP: RHSA-2026:33371: Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server
ADP: RHSA-2026:4915: Red Hat JBoss EAP 7.4 ELS for RHEL 7 Server
ADP: RHSA-2026:4916: Red Hat JBoss EAP 7.4 ELS for RHEL 8
ADP: RHSA-2026:3889: Red Hat JBoss EAP 8.0 for RHEL 8
ADP: RHSA-2026:0383: Red Hat JBoss EAP 8.1 for RHEL 8
ADP: RHSA-2026:4917: Red Hat JBoss EAP 7.4 ELS for RHEL 9
ADP: RHSA-2026:3891: Red Hat JBoss EAP 8.0 for RHEL 9
ADP: RHSA-2026:0384: Red Hat JBoss EAP 8.1 for RHEL 9
ADP: RHSA-2026:3892: Red Hat JBoss Enterprise Application Platform 8.0
ADP: RHSA-2026:0386: Red Hat JBoss Enterprise Application Platform 8.1
ADP: RHSA-2026:4924: Red Hat JBoss Enterprise Application Platform
ADP: RHSA-2026:3890: Red Hat build of Apache Camel 4.14.4 for Spring Boot 3.5.11
Workarounds
CNA: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use, applicability, or stability.
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use, applicability, or stability.