Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

Host Header Injection in Undertow HTTP Server Core

IdentifiersCVE-2025-12543CWE-20· Improper Input Validation

CVE-2025-12543 is a critical input validation flaw in the Undertow HTTP server core used by WildFly, JBoss EAP, and other Java applications. Undertow fails to properly validate the HTTP Host header in incoming requests and accepts malformed or attacker-controlled Host values instead of rejecting them. This creates a Host header injection condition in which application logic, generated links, cache keys, or downstream components may trust and process unvalidated host information. Reported abuse scenarios include web cache poisoning, SSRF-style/internal network reconnaissance, and session hijacking. The issue is described as remotely exploitable without authentication, and affected deployments include Undertow-based applications and platform distributions such as WildFly and JBoss EAP that embed vulnerable Undertow components.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can compromise confidentiality and integrity. An attacker may poison application or intermediary caches, causing users to receive attacker-influenced content; manipulate host-dependent behavior to facilitate session hijacking or credential theft; and leverage the server's handling of crafted requests for SSRF-style access or internal network scanning of otherwise unreachable services. In affected enterprise deployments, this can lead to unauthorized access to internal systems, account compromise, and broader trust-boundary violations across reverse proxies, caches, and application tiers.

Mitigation

If you can’t patch tonight, do this now.

If patching cannot be performed immediately, enforce strict Host header validation at the edge using a reverse proxy, load balancer, or WAF with an allowlist of expected hostnames. Reject malformed Host headers, multiple Host headers, and values that do not match the deployment's canonical hostnames. Restrict direct access to Undertow so it is reachable only through trusted front-end infrastructure. Where Host influences content selection or cache keys, disable or tightly limit caching until fixes are applied, and invalidate potentially poisoned caches. Monitor HTTP request logs for anomalous Host header values and investigate suspicious requests.

Remediation

Patch, then assume compromise.

Apply the vendor-provided fixes for affected Undertow-based products. The content indicates Red Hat released patches on 2026-01-08 via RHSA-2026:0386 and RHSA-2026:0383 for affected JBoss EAP 8.1-related components, including eap8-undertow and eap8-wildfly. More generally, upgrade Undertow to a fixed release, or apply the corresponding WildFly/JBoss EAP platform update that includes the patched undertow-core dependency, then redeploy affected applications. Because no alternative mitigation meeting vendor security criteria is noted, prompt patching is the primary remediation.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Red HatBuild Of Apache Camelapplication
Red HatData Gridapplication
Red HatFuseapplication
Red HatJboss Enterprise Application Platformapplication
Red HatJboss Enterprise Application Platform Expansion Packapplication
Red HatProcess Automationapplication
Red HatSingle Sign-Onapplication
Red HatUndertowapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Unknown (listed as a trending CVE affecting HPE Telco Service Activator).

Read more
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Unknown (listed as a trending CVE affecting HPE Telco Service Activator; no technical details provided in the content).

Read more
cyber security newsNews
Jan 9, 2026
Undertow HTTP Server Used in Java Apps Vulnerability Allow Attackers to Hijack Sessions

A critical improper input validation vulnerability in Undertow HTTP server core, allowing attackers to exploit malformed Host headers for session hijacking, cache poisoning, and internal network compromise.

Read more
security online infoNews
Jan 9, 2026
The 9.6 Crack in Java's Foundation: Critical Undertow Flaw CVE-2025-12543

A critical Host header injection vulnerability in the Undertow Java web server core that allows malicious Host header values to be processed, enabling impacts such as cache poisoning, internal network probing (SSRF-style), and session hijacking; remotely exploitable without authentication.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-12543
NVD
nvd.nist.gov/vuln/detail/CVE-2025-12543
MITRE CWE · CWE-20
Improper Input Validation
Vendor Advisory
access.redhat.com/errata/RHSA-2026:0383
Vendor Advisory
access.redhat.com/errata/RHSA-2026:0384
Vendor Advisory
access.redhat.com/errata/RHSA-2026:0386
Vendor Advisory
access.redhat.com/errata/RHSA-2026:3889
Vendor Advisory
access.redhat.com/errata/RHSA-2026:3890
Vendor Advisory
access.redhat.com/errata/RHSA-2026:3891
Vendor Advisory
access.redhat.com/errata/RHSA-2026:3892
Vendor Advisory
access.redhat.com/security/cve/CVE-2025-12543
Vendor Advisory
bugzilla.redhat.com/show_bug.cgi?id=2408784
+4 more references
view more in app