9.6

CVE-2025-12543

Undertow-core: undertow http server fails to reject malformed host headers leading to potential cache poisoning and ssrf

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatBuild Of Apache Camel SwPlatformspring_boot Version < 4.14.4
RedhatData Grid Version8.0
RedhatFuse Version7.0.0
RedhatJboss Enterprise Application Platform Version >= 8.0 < 8.0.12
RedhatJboss Enterprise Application Platform Version >= 8.1.0 < 8.1.3
RedhatJboss Enterprise Application Platform Version- SwEditiontext-only
RedhatProcess Automation Version7.0
RedhatSingle Sign-on Version7.0
RedhatUndertow Version < 2.2.39
RedhatUndertow Version >= 2.3.0 < 2.3.21
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.18% 0.636
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.6 2.8 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
secalert@redhat.com 9.6 2.8 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 9.6 2.8 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://access.redhat.com/security/cve/CVE-2025-12543
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2408784
Vendor Advisory
Issue Tracking
https://access.redhat.com/errata/RHSA-2026:0384
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:0386
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:0383
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:3890
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:3889
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:3891
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:3892
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:4915
https://access.redhat.com/errata/RHSA-2026:4916
https://access.redhat.com/errata/RHSA-2026:4917
https://access.redhat.com/errata/RHSA-2026:4924
https://access.redhat.com/errata/RHSA-2026:33371
https://access.redhat.com/errata/RHSA-2026:33372
https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-12543.json