Description
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.
Published: 2026-07-07
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

Vendor Workaround

It is possible to contruct successful attack vector if and only if customer or client is using embedded Undertow and Jastow together in their application and the following conditions are met: * Undertow was configured with UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL set to 'true' value * DeploymentInfo configured with setEscapeErrorMessage(true) method was passed to Undertow's Servlet Container instance

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el10
cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8
cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9
References

Tue, 07 Jul 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.
Title Jastow: jastow cross-site scripting attack due to unsanitized uri
First Time appeared Redhat
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-79
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N'}


Subscriptions

Redhat Jboss Enterprise Application Platform Jbosseapxp Red Hat Single Sign On
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-07T18:57:44.571Z

Reserved: 2025-11-06T11:15:12.378Z

Link: CVE-2025-12799

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')