Skip to main content

Jastow EUVDEUVD-2025-210439

| CVE-2025-12799 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-07 redhat GHSA-rfhw-2486-47r9
6.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
4.7 MEDIUM

XSS inherently requires victim interaction (UI:R) and browser scope change (S:C); AC:H retained for configuration-conjunction prerequisite; I:L more appropriate than I:H absent evidence of server-side integrity compromise.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 17:26 vuln.today

DescriptionCVE.org

A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.

AnalysisAI

Cross-site scripting in Jastow - the JSP implementation layer embedded within Red Hat JBoss Enterprise Application Platform alongside Undertow - allows unauthenticated remote attackers to inject and execute malicious scripts when a specific combination of configurations permits unescaped characters to pass through URL processing. Affected deployments span JBoss EAP 7, EAP 8, the Expansion Pack, and linked products such as Red Hat Single Sign-On 7 that share this component. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Technical ContextAI

Jastow is the Undertow-native JSP processing engine (analogous to Apache Jasper for Tomcat) embedded in Red Hat JBoss EAP. Undertow is the non-blocking HTTP server underpinning JBoss EAP's Java EE runtime. CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: user-supplied URL input is not properly escaped or sanitized before being reflected or rendered back in an HTTP response. The vulnerability is activated by a conjunction of configuration options - both Undertow and Jastow must be set in a way that permits unescaped characters in URL paths or parameters, suggesting the flaw lives at the interface between URL parsing and output encoding rather than in either component alone. CPE data identifies the affected surface as cpe:2.3:a:red_hat:red_hat_jboss_enterprise_application_platform_7 and cpe:2.3:a:red_hat:red_hat_jboss_enterprise_application_platform_8, as well as the Expansion Pack variant.

RemediationAI

The primary remediation is to apply Red Hat's patch for JBoss EAP 7, EAP 8, and the Expansion Pack as referenced in the vendor advisory at https://access.redhat.com/security/cve/CVE-2025-12799 - an exact fixed version number was not confirmed from the available data, so administrators should consult the advisory directly for the specific update. As a compensating control prior to patching, review and tighten Undertow and Jastow configuration to avoid the permissive combination that allows unescaped characters in URL handling: specifically, disable any non-default settings that relax URL character escaping in Undertow's request parsing or Jastow's output encoding pipeline. Enabling a web application firewall rule to block reflected script patterns in URL input can reduce exposure, though this carries the trade-off of potential false positives on legitimate parameterized URLs. Red Hat Single Sign-On 7 deployments should also be evaluated, as they share the affected runtime components.

Vendor StatusVendor

Share

EUVD-2025-210439 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy