CVE-2025-11143

CWE-20 — Improper Input Validation CWE-444 — HTTP Request Smuggling9 documents8 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 72.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Jetty Eclipse Foundation Eclipse Jetty

Timeline

PublishedMar 5

Description

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages4 packages

▶NVDeclipse/jetty12.0.0 — 12.0.31+4

▶Mavenorg.eclipse.jetty:jetty-http12.0.0 — 12.0.31+4

▶Debianjetty12< 12.0.32-1

▶CVEListV5eclipse_foundation/eclipse_jetty9.4.0 — 9.4.58+4

🔴Vulnerability Details

OSV

org.eclipse.jetty:jetty-http has different parsing of invalid URIs↗2026-03-05

▶

GHSA

org.eclipse.jetty:jetty-http has different parsing of invalid URIs↗2026-03-05

▶

CVEList

CVE-2025-11143: The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs↗2026-03-05

▶

OSV

CVE-2025-11143: The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs↗2026-03-05

▶

📋Vendor Advisories

Red Hat

org.eclipse.jetty/jetty-http: org.eclipse.jetty: Security bypass due to differential URI parsing↗2026-03-05

▶

Debian

CVE-2025-11143: jetty12 - The Jetty URI parser has some key differences to other common parsers when evalu...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-11143 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2025-11143 org.eclipse.jetty/jetty-http: org.eclipse.jetty: Security bypass due to differential URI parsing↗2026-03-05

▶