A critical security flaw has been discovered in the Undertow HTTP server core, a widely used component in Java applications such as WildFly and JBoss EAP.
The vulnerability, tracked as CVE-2025-12543, poses serious risks to application security by enabling attackers to hijack user sessions and compromise internal systems.
The flaw exists in how Undertow handles HTTP Host headers in incoming requests. The library fails to validate these headers properly, allowing malformed or malicious Host headers to pass through without rejection.
This weakness creates multiple attack vectors, including cache poisoning, internal network scanning, and session hijacking.
| CVE ID | CVE-2025-12543 |
|---|---|
| CVSS Score | 9.6 (Critical) |
| Severity | Important |
| Attack Vector | Network |
| CWE | CWE-20 (Improper Input Validation) |
Red Hat classified this vulnerability as having “Important” severity because it can be exploited remotely without authentication, though limited user interaction is required.
Successful exploitation could allow attackers to steal user credentials, hijack additional accounts, or gain unauthorized access to internal systems.
The vulnerability severely impacts both confidentiality and integrity of affected systems. Red Hat JBoss Enterprise Application Platform 8.1 and related components across multiple packages, including eap8-undertow, eap8-wildfly, and other associated libraries.
Red Hat has released security patches to address this vulnerability. Organizations using affected versions should immediately apply the available updates released on January 8, 2026, through security advisories RHSA-2026:0386 and RHSA-2026:0383.
Currently, no alternative mitigation options meet Red Hat’s security criteria for ease of use and stability, making immediate patching the recommended course of action.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
