CVE-2025-12543

Published Jan 7, 2026

Last updated a month ago

CVSS critical 9.6

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-12543 describes a flaw within the Undertow HTTP server core, a component utilized in various Java applications including WildFly and JBoss EAP. The vulnerability stems from the Undertow library's failure to adequately validate the `Host` header in incoming HTTP requests. This improper input validation (CWE-20) allows the server to process requests containing malformed or malicious `Host` headers without rejection. The acceptance of these manipulated `Host` headers can enable attackers to exploit the system in several ways. Potential impacts include cache poisoning, which can lead to persistent malicious entries in caches, the ability to perform internal network scans, and the hijacking of user sessions. This issue arises because downstream application logic, frameworks, or proxies may trust the unvalidated `Host` header for security-relevant decisions.

Description
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
Source
secalert@redhat.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.6
Impact score
6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
Severity
CRITICAL

Weaknesses

secalert@redhat.com
CWE-20

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

7

  1. [HIGH] CISA Issues Emergency Patches for Critical Vulnerabilities CISA releases patches for critical flaws in multiple platforms. CVE: CVE-2026-1731, CVE-2025-12543 • APT: Unknown • Status: ACTIVE Urgent action needed t… https://t.co/J2iNIRDDMh

    @MysocAi

    24 Feb 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🔶 [HIGH] CISA Warns of Active Exploitation of HPE Telco Service Activator Flaw CISA issues warning … 🔴 CVE: CVE-2025-12543 🕵️ APT: Unknown ⚡ Status: ACTIVE 🎯 MITRE: Initial Access, Exploitation for Privilege Escalation ⚔️ Requires immediate patching to prev

    @MysocAi

    24 Feb 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 Critical HPE Telco Service Activator Flaw (CVE-2025-12543) Lets Attackers Bypass Host-Based Access Controls HPE warns a critical improper Host-header validation bug in the Undertow HTTP core used by Telco Service Activator can let remote attackers bypass access restrictions

    @ThreatSynop

    23 Feb 2026

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 通信事業者のサービス開通を担うHPE Service Activatorに深刻な脆弱性(CVE-2025-12543)が見つかった。CVSS9.6の高危険度で、内部ネットワーク侵害の恐れがある。 原因は内部で使用されるUndertow

    @yousukezan

    23 Feb 2026

    3478 Impressions

    2 Retweets

    21 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  5. Critical Undertow HTTP server flaw CVE-2025-12543 (CVSS 9.6) impacts HPE Telco Service Activator, allowing cache poisoning and session hijacking. Patch now. #HPESA #CVE202512543 #CyberSecurity #TelecomSecurity #Undertow #CachePoisoning #InfoSec https://t.co/jUoi3Bzl6u

    @the_yellow_fall

    23 Feb 2026

    151 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  6. #VulnerabilityReport #CachePoisoning The 9.6 Crack in Java’s Foundation: Critical Undertow Flaw CVE-2025-12543 https://t.co/FqqAdHAsDg

    @Komodosec

    13 Feb 2026

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. https://t.co/MRPSLkLbYA CVE-2025-12543: Host Header Validation Bypass in Undertow

    @BentleyAudrey

    23 Jan 2026

    438 Impressions

    3 Retweets

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  8. Java、Undertow HTTPサーバにおけるHostヘッダ検証不備の脆弱性(CVE-2025-12543) https://t.co/VrREFdhTJ3 #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    13 Jan 2026

    148 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-12543: The Undertow Hijack Flaw Threatening WildFly and JBoss Infrastructure Read the full report on - https://t.co/wuxlNWYTEU https://t.co/6E607TgzOA

    @cyberbivash

    10 Jan 2026

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Undertow HTTP server core (io.undertow:undertow-core) has a #CRITICAL vulnerability, CVE-2025-12543, due to improper Host header validation. #WebSecurity #Vulnerability https://t.co/6RiSLa4J7t

    @pulsepatchio

    9 Jan 2026

    76 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Undertow HTTP server has a critical Host header validation flaw (CVE-2025-12543). Impacts #Java applications like WildFly/JBoss EAP. Requires attention to prevent malformed request processing. #infosec #vulnerability https://t.co/uDxQQ5BVUx

    @pulsepatchio

    9 Jan 2026

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. A critical host header validation flaw affects the Undertow HTTP server (CVE-2025-12543). Improper header handling may lead to security bypasses. Implement input validation. #Undertow #HTTPsecurity #CVE https://t.co/6RiSLa4J7t

    @pulsepatchio

    9 Jan 2026

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 🚨 Critical Undertow Host-Header Bug (CVE-2025-12543) Enables Session Hijack & Cache Poisoning A critical Undertow core flaw (CVSS 9.6) fails to properly validate HTTP Host headers, letting remote attackers trigger cache poisoning, internal network scanning, and session hij

    @ThreatSynop

    9 Jan 2026

    65 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  14. 🚨 Critical Undertow Host-Header Flaw (CVE-2025-12543) Enables Session Hijack & Cache Poisoning in Java Apps A critical Undertow issue caused by improper validation of HTTP Host headers can be exploited remotely (no auth) to enable session hijacking, cache poisoning, and in

    @ThreatSynop

    9 Jan 2026

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. [CVE-2025-12543: CRITICAL] Critical security flaw in Undertow HTTP server core used in WildFly & JBoss EAP allows attackers to poison caches, perform network scans, or hijack user sessions. #cybersecurity#cve,CVE-2025-12543,#cybersecurity https://t.co/zmLmQ76XTo https://t.co/

    @CveFindCom

    7 Jan 2026

    89 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. 🔴 CVE-2025-12543 - Critical A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in inc... https://t.co/DSyYdb9594 https://t.co/pqwdSgc96L

    @TheHackerWire

    7 Jan 2026

    74 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. CVE-2025-12543 A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate t… https://t.co/gTQo3U4Y59

    @CVEnew

    7 Jan 2026

    127 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.