CVE-2025-12543

Description

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

CVSS Details

CVSS Score

9.6

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:redhat:build_of_apache_camel:*:*:*:*:*:spring_boot:*:* - VULNERABLE

cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:redhat:fuse:7.0.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:* - VULNERABLE

Undertow < 2.3.0

WildFly < 27.0.0

JBoss EAP < 7.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

target = 'http://target.com'
payload = {'Host': 'malicious.example.com'}
response = requests.get(target, headers=payload)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12543
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12543
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12543/
[4] VulDB https://vuldb.com/cve/CVE-2025-12543
[5] https://access.redhat.com/errata/RHSA-2026:0383
[6] https://access.redhat.com/errata/RHSA-2026:0384
[7] https://access.redhat.com/errata/RHSA-2026:0386
[8] https://access.redhat.com/errata/RHSA-2026:3889
[9] https://access.redhat.com/errata/RHSA-2026:3890
[10] https://access.redhat.com/errata/RHSA-2026:3891
[11] https://access.redhat.com/errata/RHSA-2026:3892
[12] https://access.redhat.com/errata/RHSA-2026:4915
[13] https://access.redhat.com/errata/RHSA-2026:4916
[14] https://access.redhat.com/errata/RHSA-2026:4917

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12543", "sourceIdentifier": "[email protected]", "published": "2026-01-07T17:15:55.093", "lastModified": "2026-03-18T16:16:22.420", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions."}, {"lang": "es", "value": "Se encontró una vulnerabilidad en el núcleo del servidor HTTP Undertow, que se utiliza en WildFly, JBoss EAP y otras aplicaciones Java. La biblioteca Undertow no valida correctamente el encabezado Host en las solicitudes HTTP entrantes. Como resultado, las solicitudes que contienen encabezados Host malformados o maliciosos se procesan sin ser rechazadas, lo que permite a los atacantes envenenar cachés, realizar escaneos de red internos o secuestrar sesiones de usuario."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_apache_camel:*:*:*:*:*:spring_boot:*:*", "versionEndExcluding": "4.14.4", "matchCriteriaId": "07091FB7-A140-4D8E-BDB8-1EC9CF463F53"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "7095200A-4DAC-4433-99E8-86CA88E1E4D4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:fuse:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "AAD91726-93D9-4230-BF69-6A79B58E09E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0", "versionEndExcluding": "8.0.12", "matchCriteriaId": "7D2DF1E8-9000-4FB5-9EA8-138D8FB3E2CA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.1.0", "versionEndExcluding": "8.1.3", "matchCriteriaId": "47585EEB-2EB2-42D6-B06E-290BCE788A9F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*", "matchCriteriaId": "0A24CBFB-4900-47A5-88D2-A44C929603DC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "20A6B40D-F991-4712-8E30-5FE008505CB7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.39", "matchCriteriaId": "FD2DF681-F91C-41CD-8031-1A0ABC2EF051"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0", "versionEndExcluding": "2.3.21", "matchCriteriaId": "1F2313BE-DB2E-4F91-9F8D-6428B276037A"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:0383", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:0384", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:0386", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:3889", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/e ... (truncated)