Critical severityOSV Advisory· Published Jan 7, 2026· Updated Apr 29, 2026
Undertow-core: undertow http server fails to reject malformed host headers leading to potential cache poisoning and ssrf
CVE-2025-12543
Description
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | >= 2.3.0.Alpha1, < 2.3.21.Final | 2.3.21.Final |
io.undertow:undertow-coreMaven | < 2.2.39.Final | 2.2.39.Final |
Affected products
1- Range: 1.0.0.Alpha1, 1.0.0.Alpha10, 1.0.0.Alpha11, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
20- access.redhat.com/errata/RHSA-2026:0383ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:0384ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:0386ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3889ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3890ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3891ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3892ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:4915ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:4916ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:4917ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:4924ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-j382-5jj3-vw4jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-12543ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-12543ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/undertow-io/undertow/pull/1857ghsaWEB
- github.com/undertow-io/undertow/pull/1860ghsaWEB
- github.com/undertow-io/undertow/releases/tag/2.2.39.FinalghsaWEB
- github.com/undertow-io/undertow/releases/tag/2.3.21.FinalghsaWEB
- issues.redhat.com/browse/UNDERTOW-2656ghsaWEB
News mentions
0No linked articles in our index yet.