The vulnerability CVE-2025-12543 affects the Undertow HTTP server core, which fails to properly validate the Host header in HTTP requests. This improper input validation allows attackers to send requests with malformed or malicious Host headers that the server processes without rejection. The impact includes potential cache poisoning, internal network scanning, and user session hijacking. Red Hat's JBoss Enterprise Application Platform 8.1.3 update includes a fix by upgrading Undertow to versions 2.3.20.SP2 and later. The vulnerability is rated critical with a CVSS 3.1 score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L). The vendor advisory confirms the availability of patches for RHEL 8 and 9 platforms and recommends applying these updates after ensuring all prior errata are applied.

Successful exploitation of this vulnerability can lead to cache poisoning, allowing attackers to manipulate cached content served to users. It also enables server-side request forgery (SSRF), which can be used to scan internal networks or access internal resources. Additionally, session hijacking is possible, potentially compromising user accounts. The CVSS score of 9.6 reflects critical impact on confidentiality, integrity, and low impact on availability. No known exploits in the wild have been reported so far.

Red Hat has released official security updates for JBoss Enterprise Application Platform 8.1.3 on Red Hat Enterprise Linux 8 and 9 that address CVE-2025-12543 by upgrading the Undertow HTTP server component. Users should apply these updates promptly after verifying that all previously released errata relevant to their systems have been applied. Backing up existing installations, including applications, configuration files, and databases, is recommended before applying the update. Detailed update instructions are available in the Red Hat advisory and knowledge base articles linked in the vendor advisory. No additional mitigations are indicated by the vendor advisory.