Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
XSS inherently requires victim interaction (UI:R) and browser scope change (S:C); AC:H retained for configuration-conjunction prerequisite; I:L more appropriate than I:H absent evidence of server-side integrity compromise.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.
AnalysisAI
Cross-site scripting in Jastow - the JSP implementation layer embedded within Red Hat JBoss Enterprise Application Platform alongside Undertow - allows unauthenticated remote attackers to inject and execute malicious scripts when a specific combination of configurations permits unescaped characters to pass through URL processing. Affected deployments span JBoss EAP 7, EAP 8, the Expansion Pack, and linked products such as Red Hat Single Sign-On 7 that share this component. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Technical ContextAI
Jastow is the Undertow-native JSP processing engine (analogous to Apache Jasper for Tomcat) embedded in Red Hat JBoss EAP. Undertow is the non-blocking HTTP server underpinning JBoss EAP's Java EE runtime. CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: user-supplied URL input is not properly escaped or sanitized before being reflected or rendered back in an HTTP response. The vulnerability is activated by a conjunction of configuration options - both Undertow and Jastow must be set in a way that permits unescaped characters in URL paths or parameters, suggesting the flaw lives at the interface between URL parsing and output encoding rather than in either component alone. CPE data identifies the affected surface as cpe:2.3:a:red_hat:red_hat_jboss_enterprise_application_platform_7 and cpe:2.3:a:red_hat:red_hat_jboss_enterprise_application_platform_8, as well as the Expansion Pack variant.
RemediationAI
The primary remediation is to apply Red Hat's patch for JBoss EAP 7, EAP 8, and the Expansion Pack as referenced in the vendor advisory at https://access.redhat.com/security/cve/CVE-2025-12799 - an exact fixed version number was not confirmed from the available data, so administrators should consult the advisory directly for the specific update. As a compensating control prior to patching, review and tighten Undertow and Jastow configuration to avoid the permissive combination that allows unescaped characters in URL handling: specifically, disable any non-default settings that relax URL character escaping in Undertow's request parsing or Jastow's output encoding pipeline. Enabling a web application firewall rule to block reflected script patterns in URL input can reduce exposure, though this carries the trade-off of potential false positives on legitimate parameterized URLs. Red Hat Single Sign-On 7 deployments should also be evaluated, as they share the affected runtime components.
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210439
GHSA-rfhw-2486-47r9