CVE-2025-1948

CWE-400 — Uncontrolled Resource Consumption8 documents7 sources

Severity

7.5HIGH

EPSS

0.6%

top 31.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Jetty Eclipse Foundation Jetty

Timeline

PublishedMay 8

Latest updateOct 15

Description

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Mavenorg.eclipse.jetty.http2:jetty-http2-common12.0.0 — 12.0.17

▶NVDeclipse/jetty12.0.0 — 12.0.17

▶CVEListV5eclipse_foundation/jetty12.0.0 — 12.0.16

▶Debianjetty12< 12.0.17-1+1

🔴Vulnerability Details

GHSA

Eclipse Jetty HTTP/2 client can force the server to allocate a humongous byte buffer that may lead to OoM and subsequently the JVM to exit↗2025-05-08

▶

OSV

Eclipse Jetty HTTP/2 client can force the server to allocate a humongous byte buffer that may lead to OoM and subsequently the JVM to exit↗2025-05-08

▶

CVEList

Eclipse Jetty HTTP clients can increase memory allocation↗2025-05-08

▶

OSV

CVE-2025-1948: In Eclipse Jetty versions 12↗2025-05-08

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Security (Eclipse Jetty) — CVE-2025-1948↗2025-10-15

▶

Red Hat

jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability↗2025-05-08

▶

Debian

CVE-2025-1948: jetty12 - In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can speci...↗2025

▶