CVE-2025-12543

moderate-risk

Published 2026-01-07

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.6/10 Critical

NETWORK / LOW complexity

Affected Products (10)

Build Of Apache Camel

Data Grid

Fuse

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform Expansion Pack

Process Automation

Single Sign-On

Undertow

Affected Vendors

Redhat

References (13)

Vendor Advisory https://access.redhat.com/errata/RHSA-2026:0383

Vendor Advisory https://access.redhat.com/errata/RHSA-2026:0384

Vendor Advisory https://access.redhat.com/errata/RHSA-2026:0386

Vendor Advisory https://access.redhat.com/errata/RHSA-2026:3889

Vendor Advisory https://access.redhat.com/errata/RHSA-2026:3890

Vendor Advisory https://access.redhat.com/errata/RHSA-2026:3891

Vendor Advisory https://access.redhat.com/errata/RHSA-2026:3892

https://access.redhat.com/errata/RHSA-2026:4915

https://access.redhat.com/errata/RHSA-2026:4916

https://access.redhat.com/errata/RHSA-2026:4917

https://access.redhat.com/errata/RHSA-2026:4924

Vendor Advisory https://access.redhat.com/security/cve/CVE-2025-12543

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2408784

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 0/34 · Minimal

Exposure 16/34 · Moderate