CVE-2025-12543

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-12543
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-12543.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-12543
Aliases
Downstream
Related
Published
2026-01-07T17:15:55.093Z
Modified
2026-03-15T21:45:01.800070Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

References

Affected packages

Git / github.com/undertow-io/undertow

Affected ranges

Type
GIT
Repo
https://github.com/undertow-io/undertow
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
44e259c325f90432313bf107c0c358a24be805b0
Introduced
ddb772c84f8ee5ce7a803c883df313c1e2353e8a
Fixed
791c90859980f808e3ce1e258bff78990df7ca95
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.2.39"
        },
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "2.3.21"
        }
    ]
}

Affected versions

2.*
2.3.0.Final
2.3.1.Final
2.3.10.Final
2.3.11.Final
2.3.12.Final
2.3.13.Final
2.3.14.Final
2.3.15.Final
2.3.16.Final
2.3.17.Final
2.3.18.Final
2.3.19.Final
2.3.2.Final
2.3.20.Final
2.3.3.Final
2.3.4.Final
2.3.5.Final
2.3.6.Final
2.3.7.Final
2.3.8.Final
2.3.9.Final

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-12543.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "4.14.4"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.0.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "8.0"
            },
            {
                "fixed": "8.0.12"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "8.1.0"
            },
            {
                "fixed": "8.1.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.0.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.0"
            }
        ]
    }
]