Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ygp7-kj2w-syat
Vulnerability ID VCID-ygp7-kj2w-syat
Aliases CVE-2017-12165
GHSA-5gg7-5wv8-4gcj
Summary Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) It was discovered that Undertow processes http request headers with unusual whitespaces which can cause possible http request smuggling.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 2.6 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12165.json
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
epss 0.01096 https://api.first.org/data/v1/epss?cve=CVE-2017-12165
cvssv3.1 7.5 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12165
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12165
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-5gg7-5wv8-4gcj
cvssv3.1 7.5 https://github.com/undertow-io/undertow
generic_textual HIGH https://github.com/undertow-io/undertow
cvssv3.1 7.5 https://github.com/undertow-io/undertow/commit/1e72647818c9fb31b693a953b1ae595a6c82eb7f
generic_textual HIGH https://github.com/undertow-io/undertow/commit/1e72647818c9fb31b693a953b1ae595a6c82eb7f
cvssv3.1 7.5 https://github.com/undertow-io/undertow/commit/5b008b7ac312c6cdb76679ff58c43620bb79d44f
generic_textual HIGH https://github.com/undertow-io/undertow/commit/5b008b7ac312c6cdb76679ff58c43620bb79d44f
cvssv3.1 7.5 https://github.com/undertow-io/undertow/commit/691440ee58259fba76711b60d56dde6679808bdc
generic_textual HIGH https://github.com/undertow-io/undertow/commit/691440ee58259fba76711b60d56dde6679808bdc
cvssv3.1 7.5 https://issues.redhat.com/browse/UNDERTOW-1251
generic_textual HIGH https://issues.redhat.com/browse/UNDERTOW-1251
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2017-12165
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2017-12165
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12165.json
https://api.first.org/data/v1/epss?cve=CVE-2017-12165
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12165
https://github.com/undertow-io/undertow
https://github.com/undertow-io/undertow/commit/1e72647818c9fb31b693a953b1ae595a6c82eb7f
https://github.com/undertow-io/undertow/commit/5b008b7ac312c6cdb76679ff58c43620bb79d44f
https://github.com/undertow-io/undertow/commit/691440ee58259fba76711b60d56dde6679808bdc
https://issues.redhat.com/browse/UNDERTOW-1251
1490301 https://bugzilla.redhat.com/show_bug.cgi?id=1490301
885338 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885338
CVE-2017-12165 https://nvd.nist.gov/vuln/detail/CVE-2017-12165
GHSA-5gg7-5wv8-4gcj https://github.com/advisories/GHSA-5gg7-5wv8-4gcj
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12165.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12165
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/undertow-io/undertow
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/undertow-io/undertow/commit/1e72647818c9fb31b693a953b1ae595a6c82eb7f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/undertow-io/undertow/commit/5b008b7ac312c6cdb76679ff58c43620bb79d44f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/undertow-io/undertow/commit/691440ee58259fba76711b60d56dde6679808bdc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://issues.redhat.com/browse/UNDERTOW-1251
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-12165
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.77946
EPSS Score 0.01096
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:47:53.515151+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2017-12165.yml 38.0.0