CRITICAL🇵🇱 Wersja polska

CVE-2025-12543

CVSS 9.6v3.1pub. 2026-01-07upd. 2026-06-30

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
  • Red Hat Build Of Apache Camel

    APP
    Redhat
    < 4.14.4
  • Red Hat Data Grid

    APP
    Redhat
    8.0
  • Red Hat Fuse

    APP
    Redhat
    7.0.0
  • Red Hat Jboss Enterprise Application Platform

    APP
    Redhat
    7.0.08.1.0 – 8.1.3 (bez)8.0 – 8.0.12 (bez)
  • Red Hat Jboss Enterprise Application Platform Expansion Pack

    APP
    Redhat
    wszystkie wersje
  • Red Hat Process Automation

    APP
    Redhat
    7.0
  • Red Hat Single Sign On

    APP
    Redhat
    7.0
  • Red Hat Undertow

    APP
    Redhat
    < 2.2.392.3.0 – 2.3.21 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2017-12149CRITICAL9.8⚠ KEVten sam produkt

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the...

CVE-2016-4437CRITICAL9.8⚠ KEVten sam produkt

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows rem...

CVE-2015-1427CRITICAL9.8⚠ KEVten sam produkt

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to by...

CVE-2022-4361CRITICAL10.0ten sam produkt

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerabili...

CVE-2021-31917CRITICAL9.8ten sam produkt

A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0...