Headline
GHSA-j382-5jj3-vw4j: Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests. As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-12543
Undertow HTTP server core doesn’t properly validate the Host header in incoming HTTP requests
Critical severity GitHub Reviewed Published Jan 7, 2026 to the GitHub Advisory Database • Updated Jan 8, 2026
Package
maven io.undertow:undertow-core (Maven)
Affected versions
<= 2.4.0.Alpha1
Description
Published to the GitHub Advisory Database
Jan 7, 2026
EPSS score
Related news
This week made one thing clear: small oversights can spiral fast. Tools meant to save time and reduce friction turned into easy entry points once basic safeguards were ignored. Attackers didn’t need novel tricks. They used what was already exposed and moved in without resistance. Scale amplified the damage. A single weak configuration rippled out to millions. A repeatable flaw worked again and