CVE advisoryCRITICAL
CVE-2025-12543
Undertow HTTP Request Header Validation Flaw Allows Cache Poisoning and Session Hijacking
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A vulnerability exists in the Undertow HTTP server core, used in Java applications like WildFly and JBoss EAP, due to improper validation of the Host header in HTTP requests. This flaw allows attackers to send malformed or malicious Host headers, which are processed without rejection, potentially leading to cache poiso