Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests

GHSA-j382-5jj3-vw4j · CVE-2025-12543

Published Jan 7, 2026 · Modified Mar 18, 2026

Description

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests. As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-12543
WEB https://github.com/undertow-io/undertow/pull/1860
WEB https://github.com/undertow-io/undertow/pull/1857
WEB https://issues.redhat.com/browse/UNDERTOW-2656
WEB https://github.com/undertow-io/undertow/releases/tag/2.3.21.Final
WEB https://github.com/undertow-io/undertow/releases/tag/2.2.39.Final
PACKAGE https://github.com/undertow-io/undertow
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2408784
WEB https://access.redhat.com/security/cve/CVE-2025-12543
WEB https://access.redhat.com/errata/RHSA-2026:4924
WEB https://access.redhat.com/errata/RHSA-2026:4917
WEB https://access.redhat.com/errata/RHSA-2026:4916
WEB https://access.redhat.com/errata/RHSA-2026:4915
WEB https://access.redhat.com/errata/RHSA-2026:3892
WEB https://access.redhat.com/errata/RHSA-2026:3891
WEB https://access.redhat.com/errata/RHSA-2026:3890
WEB https://access.redhat.com/errata/RHSA-2026:3889
WEB https://access.redhat.com/errata/RHSA-2026:0386
WEB https://access.redhat.com/errata/RHSA-2026:0384
WEB https://access.redhat.com/errata/RHSA-2026:0383

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes