Описание
Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests. As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-12543
- https://github.com/undertow-io/undertow/pull/1857
- https://github.com/undertow-io/undertow/pull/1860
- https://access.redhat.com/errata/RHSA-2026:0383
- https://access.redhat.com/errata/RHSA-2026:0384
- https://access.redhat.com/errata/RHSA-2026:0386
- https://access.redhat.com/security/cve/CVE-2025-12543
- https://bugzilla.redhat.com/show_bug.cgi?id=2408784
- https://github.com/undertow-io/undertow/releases/tag/2.2.39.Final
- https://github.com/undertow-io/undertow/releases/tag/2.3.21.Final
- https://issues.redhat.com/browse/UNDERTOW-2656
Пакеты
io.undertow:undertow-core
= 2.4.0.Alpha1
Отсутствует
io.undertow:undertow-core
>= 2.3.0.Alpha1, < 2.3.21.Final
2.3.21.Final
io.undertow:undertow-core
< 2.2.39.Final
2.2.39.Final
Связанные уязвимости
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
A flaw was found in the Undertow HTTP server core, which is used in Wi ...
Уязвимость ядра HTTP-сервера Undertow, связанная с ошибками механизма проверки входных данных при обработке заголовков Host, позволяющая нарушителю осуществить SSRF-атаку