PT-2026-1665 · Jboss Eap+4 · Jboss Eap+4

Published

2026-01-07

Updated

2026-04-02

CVE-2025-12543

CVSS v2.0

9.7

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:P

Name of the Vulnerable Software and Affected Versions Undertow versions (affected versions not specified) WildFly versions (affected versions not specified) JBoss EAP versions (affected versions not specified)

Description A flaw exists in the Undertow HTTP server core, utilized by WildFly, JBoss EAP, and other Java applications. The Undertow library does not properly validate the Host header within incoming HTTP requests. This allows processing of requests with malformed or malicious Host headers without rejection. Successful exploitation can enable attackers to poison caches, conduct internal network scans, or hijack user sessions. The issue affects global/enterprise Java deployments.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2026-00261

CVE-2025-12543

GHSA-J382-5JJ3-VW4J

RHSA-2026:0383

RHSA-2026:0384

RHSA-2026:3889

RHSA-2026:3891

RHSA-2026:4915

RHSA-2026:4916

RHSA-2026:4917

USN-8144-1

Affected Products

Jboss Eap

Linuxmint

Ubuntu

Undertow

Wildfly

PT-2026-1665 · Jboss Eap+4 · Jboss Eap+4

CVE-2025-12543

Weakness Enumeration

Related Identifiers

Affected Products

References · 58