CVE Catalog

CVE-2025-12543

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.18%

64th percentile - higher than 64% of all known CVEs

Summary

A flaw was found in the Undertow HTTP server core, used in WildFly, JBoss EAP, and other Java applications, where the Host header in incoming HTTP requests is not properly validated. Attackers can send crafted requests with malformed Host headers, leading to cache poisoning, internal network scanning, or session hijacking.

Risk Assessment

The risk for the organization includes cache poisoning attacks, internal network scanning, and user session hijacking, potentially resulting in data leakage and system integrity compromise.

Recommendation

Immediately update the Undertow library to a version that fixes the Host header validation. Additionally, consider deploying WAF rules to block suspicious Host headers.

Original NVD description (English source)

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS