CVE-2025-12543

State: PUBLISHED · Published: 2026-01-07 · Updated: 2026-04-01 · Assigner: redhat

Description

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

CWE

CWE-20 — Improper Input Validation

Affected

Red Hat / Red Hat build of Apache Camel 4.14.4 for Spring Boot 3.5.11 —
Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 —
Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 7 — v=0:2.2.39-1.Final_redhat_00001.1.el7eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 7 — v=0:7.4.24-4.GA_redhat_00002.1.el7eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 8 — v=0:2.2.39-1.Final_redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 8 — v=0:7.4.24-4.GA_redhat_00002.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 9 — v=0:2.2.39-1.Final_redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 9 — v=0:7.4.24-4.GA_redhat_00002.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 —
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 — v=0:1.83.0-1.redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 — v=0:33.0.0-2.jre_redhat_00003.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 — v=0:4.0.6-1.redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 — v=0:1.0.0-3.redhat_00009.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 — v=0:2.0.2-1.Final_redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 — v=0:2.3.23-1.SP3_redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 — v=0:1.83.0-1.redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 — v=0:33.0.0-2.jre_redhat_00003.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 — v=0:4.0.6-1.redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 — v=0:1.0.0-3.redhat_00009.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 — v=0:2.0.2-1.Final_redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 — v=0:2.3.23-1.SP3_redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 —
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 — v=0:4.0.10-1.redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 — v=0:1.82.0-1.redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 — v=0:801.3.0-1.GA_redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 — v=0:1.0.1-3.redhat_00003.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 — v=0:6.6.36-1.Final_redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 — v=0:4.0.2-1.Final_redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 — v=0:2.5.0-1.redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 — v=0:2.3.20-2.SP4_redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 — v=0:8.1.3-4.GA_redhat_00006.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 — v=0:5.0.12-1.Final_redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 — v=0:2.6.6-1.Final_redhat_00001.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 — v=0:8.1.1-4.GA_redhat_00007.1.el8eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 — v=0:4.0.10-1.redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 — v=0:1.82.0-1.redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 — v=0:801.3.0-1.GA_redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 — v=0:1.0.1-3.redhat_00003.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 — v=0:6.6.36-1.Final_redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 — v=0:4.0.2-1.Final_redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 — v=0:2.5.0-1.redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 — v=0:2.3.20-2.SP4_redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 — v=0:8.1.3-4.GA_redhat_00006.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 — v=0:5.0.12-1.Final_redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 — v=0:2.6.6-1.Final_redhat_00001.1.el9eap <* [unaffected]
Red Hat / Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 — v=0:8.1.1-4.GA_redhat_00007.1.el9eap <* [unaffected]
Red Hat / Red Hat build of Apache Camel - HawtIO 4 —
Red Hat / Red Hat Data Grid 8 —
Red Hat / Red Hat Enterprise Linux 10 —
Red Hat / Red Hat Enterprise Linux 8 —
Red Hat / Red Hat Enterprise Linux 8 —
Red Hat / Red Hat Enterprise Linux 9 —
Red Hat / Red Hat Fuse 7 —
Red Hat / Red Hat JBoss Enterprise Application Platform Expansion Pack —
Red Hat / Red Hat Process Automation 7 —
Red Hat / Red Hat Single Sign-On 7 —

CVSS

3.1 score=9.6 severity=CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

References

https://access.redhat.com/errata/RHSA-2026:0383 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:0384 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:0386 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:3889 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:3890 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:3891 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:3892 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:4915 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:4916 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:4917 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:4924 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-12543 vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2408784 issue-tracking, x_refsource_REDHAT

Source

cvelistV5-main/cves/2025/12xxx/CVE-2025-12543.json