Undertow Java HTTP Server Flaw Lets Attackers Used Apps

A critical security vulnerability has emerged within the Undertow HTTP server core, a component widely integrated into Java HTTP Serversuch as WildFly and JBoss EAP.

The vulnerability, tracked as CVE-2025-12543, poses serious risks to application security by enabling attackers to hijack user sessions and compromise internal systems.

The flaw exists in how Undertow handles HTTP Host headers in incoming requests. The library fails to validate these headers properly, allowing malformed or malicious Host headers to pass through without rejection.

This weakness creates multiple attack vectors, including cache poisoning, internal network scanning, and session hijacking.

Red Hat classified this vulnerability as having “Important” severity because it can be exploited remotely without authentication, though limited user interaction is required.

Successful exploitation could allow attackers to steal user credentials, hijack additional accounts, or gain unauthorized access to internal systems.

The vulnerability severely impacts both confidentiality and integrity of affected systems. Red Hat JBoss Enterprise Application Platform 8.1 and related components across multiple packages, including eap8-undertow, eap8-wildfly, and other associated libraries.

Red Hat has released security patches to address this vulnerability. Organizations using affected versions should immediately apply the available updates released on January 8, 2026, through security advisories RHSA-2026:0386 and RHSA-2026:0383.

Currently, no alternative mitigation options meet Red Hat’s security criteria for ease of use and stability, making immediate patching the recommended course of action.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.