Spring Boot Undertow Starter 2.7.1 Jar Flagged With 22 Vulnerabilities, CVSS 9.6 Reachable Exposure in Undertow-Core 2.2.18.Final

A security scan has flagged the spring-boot-starter-undertow-2.7.1.jar dependency as carrying 22 vulnerabilities, with the highest reaching a critical CVSS score of 9.6. The most severe flaw, tracked as CVE-2025-12543, resides in the bundled undertow-core-2.2.18.Final.jar component and carries a "reachable" classification, meaning the vulnerable code path can be triggered by an attacker under standard application conditions. The findings were surfaced through automated dependency analysis tied to the project repository.

The vulnerable library is a starter module for embedding Undertow as the servlet container in Spring Boot applications, serving as an alternative to the default Tomcat starter. The affected path traces through the project's Maven configuration, with the compromised artifact located in the local .m2 repository at /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-starter-undertow/2.7.1/. The CVSS 9.6 rating places this vulnerability in the critical range, indicating potential for severe impact including remote code execution depending on how the Undertow component is utilized within the application stack.

The exploit maturity for CVE-2025-12543 is listed as not defined, and the EPSS (Exploit Prediction Scoring System) score remains below 1 percent, suggesting that active exploitation in the wild has not been widely observed at this stage. However, the reachable attack surface elevates the risk profile for any application exposing Undertow endpoints directly. Partial results showing 12 findings were displayed due to content limitations, with additional vulnerabilities documented in the Mend Application security database. Development teams leveraging this specific Spring Boot Undertow starter version should conduct immediate dependency audits and monitor for available remediation patches.