Critical severityOSV Advisory· Published Jan 7, 2026· Updated Apr 29, 2026
Undertow-core: undertow http server fails to reject malformed host headers leading to potential cache poisoning and ssrf
CVE-2025-12543
Description
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | >= 2.3.0.Alpha1, < 2.3.21.Final | 2.3.21.Final |
io.undertow:undertow-coreMaven | < 2.2.39.Final | 2.2.39.Final |
Affected products
6- Range: 1.0.0.Alpha1, 1.0.0.Alpha10, 1.0.0.Alpha11, …
- osv-coords5 versionspkg:apk/chainguard/wildfly-openjdk-17pkg:apk/chainguard/wildfly-openjdk-21pkg:apk/wolfi/wildfly-openjdk-17pkg:apk/wolfi/wildfly-openjdk-21pkg:maven/io.undertow/undertow-core
< 39.0.0-r0+ 4 more
- (no CPE)range: < 39.0.0-r0
- (no CPE)range: < 39.0.0-r0
- (no CPE)range: < 39.0.0-r0
- (no CPE)range: < 39.0.0-r0
- (no CPE)
Patches
Vulnerability mechanics
References
20- access.redhat.com/errata/RHSA-2026:0383ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:0384ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:0386ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3889ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3890ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3891ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3892ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:4915ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:4916ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:4917ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:4924ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-j382-5jj3-vw4jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-12543ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-12543ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/undertow-io/undertow/pull/1857ghsaWEB
- github.com/undertow-io/undertow/pull/1860ghsaWEB
- github.com/undertow-io/undertow/releases/tag/2.2.39.FinalghsaWEB
- github.com/undertow-io/undertow/releases/tag/2.3.21.FinalghsaWEB
- issues.redhat.com/browse/UNDERTOW-2656ghsaWEB
News mentions
0No linked articles in our index yet.