Host Header Vulnerability in Undertow HTTP Server for WildFly and JBoss EAP
CVE-2025-12543

9.6CRITICAL

Key Information:

Vendor

Red Hat
Status
Red Hat Jboss Enterprise Application Platform 8.1
Red Hat Jboss Enterprise Application Platform 8.1 For Rhel 8
Red Hat Jboss Enterprise Application Platform 8.1 For Rhel 9
Red Hat Build Of Apache Camel For Spring Boot 4
Vendor
CVE Published:
7 January 2026

What is CVE-2025-12543?

A flaw exists in the core of the Undertow HTTP server, utilized by WildFly and JBoss EAP. This vulnerability arises from inadequate validation of the Host header in incoming HTTP requests. Malicious or malformed Host headers are not properly rejected, allowing attackers to exploit this weakness. Consequently, they can poison caches, perform scans of internal networks, or hijack user sessions, posing serious security risks to affected applications.

Affected Version(s)

Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 0:4.0.10-1.redhat_00001.1.el8eap

Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 0:1.82.0-1.redhat_00001.1.el8eap

Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 0:801.3.0-1.GA_redhat_00001.1.el8eap

References

https://access.redhat.com/errata/RHSA-2026:0383
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:0384
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:0386
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Ahmet Artuç for reporting this issue.
JSON
.
CVE-2025-12543 : Host Header Vulnerability in Undertow HTTP Server for WildFly and JBoss EAP