CVE-2025-5115

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation without LimitsCWE-3611 documents9 sources
Severity
7.7HIGH
EPSS
0.1%
top 68.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Eclipse Jetty Eclipse JettyEclipse Jetty
Timeline
PublishedAug 20
Latest updateJan 15

Description

In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal. Per specification https://www.rfc-edit

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

Affected Packages6 packages

Mavenorg.eclipse.jetty.http2:http2-common9.3.09.4.58+2
Mavenorg.eclipse.jetty.http2:jetty-http2-common12.0.012.0.25+1
NVDeclipse/jetty9.3.09.4.57+4
CVEListV5eclipse_jetty/eclipse_jetty>=9.3.0<=9.4.57+4
Debianjetty9< 9.4.57-0+deb11u3+3

🔴Vulnerability Details

4
GHSA
Eclipse Jetty affected by MadeYouReset HTTP/2 vulnerability2025-08-20
CVEList
MadeYouReset HTTP/2 vulnerability2025-08-20
OSV
CVE-2025-5115: In Eclipse Jetty, versions <=92025-08-20
OSV
Eclipse Jetty affected by MadeYouReset HTTP/2 vulnerability2025-08-20

📋Vendor Advisories

6
Oracle
Oracle Oracle Communications Risk Matrix: Core (Eclipse Jetty) — CVE-2025-51152026-01-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Security (Eclipse Jetty) — CVE-2025-51152025-10-15
Jenkins
Jenkins Security Advisory 2025-09-172025-09-17
Red Hat
jetty: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames2025-08-20
Debian
CVE-2025-5115: jetty12 - In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.a...2025