CVE-2025-12543 — Undertow HTTP server core doesn't properly validate the Host header in incoming

Description

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

How to fix CVE-2025-12543

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed

Is CVE-2025-12543 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

References (21)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-12543
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-12543
PATCHgithub.com/undertow-io/undertow
WEBaccess.redhat.com/errata/RHSA-2026:0383
WEB