UBUNTU-CVE-2025-12543

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-12543

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-12543.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-12543

Upstream

CVE-2025-12543

Published

2026-01-08T00:00:00Z

Modified

2026-01-08T06:30:00.539034Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L CVSS Calculator
Ubuntu - high

Summary

[none]

Details

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

References

Affected packages

Ubuntu:16.04:LTS

undertow

Package

Name: undertow
Purl: pkg:deb/ubuntu/undertow@1.3.16-1?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.4-1

1.3.5-1

1.3.7-1

1.3.11-1

1.3.16-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libundertow-java",
            "binary_version": "1.3.16-1"
        }
    ],
    "priority_reason": "user sesison takeover"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-12543.json"

Ubuntu:18.04:LTS

undertow

Package

Name: undertow
Purl: pkg:deb/ubuntu/undertow@1.4.23-3?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.4.20-1

1.4.21-1

1.4.22-1

1.4.23-1

1.4.23-2build1

1.4.23-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libundertow-java",
            "binary_version": "1.4.23-3"
        }
    ],
    "priority_reason": "user sesison takeover"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-12543.json"

Ubuntu:20.04:LTS

undertow

Package

Name: undertow
Purl: pkg:deb/ubuntu/undertow@2.0.29-1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.23-1

2.0.27-1

2.0.28-1

2.0.29-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libundertow-java",
            "binary_version": "2.0.29-1"
        }
    ],
    "priority_reason": "user sesison takeover"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-12543.json"

Ubuntu:22.04:LTS

undertow

Package

Name: undertow
Purl: pkg:deb/ubuntu/undertow@2.2.16-1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.8-1

2.2.12-1

2.2.13-1

2.2.14-1

2.2.16-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libundertow-java",
            "binary_version": "2.2.16-1"
        }
    ],
    "priority_reason": "user sesison takeover"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-12543.json"

Ubuntu:24.04:LTS

undertow

Package

Name: undertow
Purl: pkg:deb/ubuntu/undertow@2.3.8-2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.8-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libundertow-java",
            "binary_version": "2.3.8-2"
        }
    ],
    "priority_reason": "user sesison takeover"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-12543.json"

Ubuntu:25.04

undertow

Package

Name: undertow
Purl: pkg:deb/ubuntu/undertow@2.3.18-1?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.8-2

2.3.18-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libundertow-java",
            "binary_version": "2.3.18-1"
        }
    ],
    "priority_reason": "user sesison takeover"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-12543.json"

Ubuntu:25.10

undertow

Package

Name: undertow
Purl: pkg:deb/ubuntu/undertow@2.3.18-2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.18-1

2.3.18-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libundertow-java",
            "binary_version": "2.3.18-2"
        }
    ],
    "priority_reason": "user sesison takeover"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-12543.json"