Eclipse Jetty vulnerabilities
48 known vulnerabilities affecting eclipse/jetty.
Total CVEs
48
CISA KEV
1
actively exploited
Public exploits
5
Exploited in wild
3
Severity breakdown
CRITICAL5HIGH19MEDIUM20LOW4
Vulnerabilities
Page 2 of 3
CVE-2025-1948P3HIGHCVSS 7.5≥ 12.0.0, < 12.0.172025-05-08
CVE-2025-1948 [HIGH] CWE-400 CVE-2025-1948: In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large valu
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE.
The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryE
nvd
CVE-2024-13009P3HIGHCVSS 7.2≥ 9.4.0, < 9.4.572025-05-08
CVE-2024-13009 [HIGH] CWE-404 CVE-2024-13009: In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request
body. This can result in corrupted and/or inadvertent sharing of data between requests.
nvd
CVE-2018-12545P3HIGHCVSS 7.5v9.3.0v9.3.1+36 more2019-03-27
CVE-2018-12545 [HIGH] CWE-400 CVE-2018-12545: In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions i
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
nvd
CVE-2020-27216P3HIGHCVSS 7.0≥ 1.0, < 9.3.29≥ 9.4.0, ≤ 9.4.32+2 more2020-10-23
CVE-2020-27216 [HIGH] CWE-378 CVE-2020-27216: In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alp
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to comp
nvd
CVE-2022-2191P3HIGHCVSS 7.5≥ 10.0.0, ≤ 10.0.9≥ 11.0.0, ≤ 11.0.92022-07-07
CVE-2022-2191 [HIGH] CWE-404 CVE-2022-2191: In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does no
In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
nvd
CVE-2024-9823P3HIGHCVSS 7.5≥ 9.0.0, < 9.4.54≥ 10.0.0, < 10.0.18+2 more2024-10-14
CVE-2024-9823 [HIGH] CWE-400 CVE-2024-9823: There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized us
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
nvd
CVE-2022-2048P3HIGHCVSS 7.5fixed in 9.4.47≥ 10.0.0, < 10.0.9+1 more2022-07-07
CVE-2022-2048 [HIGH] CWE-410 CVE-2022-2048: In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the erro
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
nvd
CVE-2019-10241P3MEDIUMCVSS 6.1v9.2.0v9.2.1+67 more2019-04-22
CVE-2019-10241 [MEDIUM] CWE-79 CVE-2019-10241: In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vul
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
nvd
CVE-2009-5045P3HIGHCVSS 7.5fixed in 6.1.222019-11-06
CVE-2009-5045 [HIGH] CWE-200 CVE-2009-5045: Dump Servlet information leak in jetty before 6.1.22.
Dump Servlet information leak in jetty before 6.1.22.
nvd
CVE-2024-6762P3MEDIUMCVSS 6.5≥ 10.0.0, < 10.0.18≥ 11.0.0, < 11.0.18+1 more2024-10-14
CVE-2024-6762 [MEDIUM] CWE-400 CVE-2024-6762: Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks
Jetty PushSessionCacheFilter can be exploited by unauthenticated users
to launch remote DoS attacks by exhausting the server’s memory.
nvd
CVE-2019-10247P4MEDIUMCVSS 5.3v7.0.0v7.0.1+161 more2019-04-22
CVE-2019-10247 [MEDIUM] CWE-213 CVE-2019-10247: In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the ser
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on je
nvd
CVE-2020-27218P4MEDIUMCVSS 4.8≥ 9.4.0, < 9.4.35v10.0.0+1 more2020-11-28
CVE-2020-27218 [MEDIUM] CWE-226 CVE-2020-27218: In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.al
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the applicati
nvd
CVE-2024-8184P4MEDIUMCVSS 6.5≥ 9.3.12, < 9.4.56≥ 10.0.0, < 10.0.24+2 more2024-10-14
CVE-2024-8184 [MEDIUM] CWE-400 CVE-2024-8184: There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploit
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
nvd
CVE-2025-11143P4MEDIUMCVSS 6.5≥ 9.4.0, ≤ 9.4.58≥ 10.0.0, ≤ 10.0.26+3 more2026-03-05
CVE-2025-11143 [MEDIUM] CWE-20 CVE-2025-11143: The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unu
The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, di
nvd
CVE-2019-10246P4MEDIUMCVSS 5.3v9.2.27v9.3.26+1 more2019-04-22
CVE-2019-10246 [MEDIUM] CWE-213 CVE-2019-10246: In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource dire
nvd
CVE-2023-26048P4MEDIUMCVSS 5.3fixed in 9.4.51≥ 10.0.0, < 10.0.14+1 more2023-04-18
CVE-2023-26048 [MEDIUM] CWE-400 CVE-2023-26048: Jetty is a java based web server and servlet engine. In affected versions servlets with multipart su
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very
nvd
CVE-2023-40167P4MEDIUMCVSS 5.3≥ 9.0.0, < 9.4.52≥ 10.0.0, < 10.0.16+2 more2023-09-15
CVE-2023-40167 [MEDIUM] CWE-130 CVE-2023-40167: Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scena
nvd
CVE-2018-12536P4MEDIUMCVSS 5.3≥ 9.0.0, ≤ 9.2.26≥ 9.3.0, < 9.3.24+1 more2018-06-27
CVE-2018-12536 [MEDIUM] CWE-209 CVE-2018-12536: In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the b
nvd
CVE-2023-26049P4MEDIUMCVSS 5.3fixed in 9.4.51≥ 10.0.0, < 10.0.14+2 more2023-04-18
CVE-2023-26049 [MEDIUM] CWE-200 CVE-2023-26049: Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow a
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string u
nvd
CVE-2024-6763P4MEDIUMCVSS 5.3≥ 7.0.0, < 9.4.572024-10-14
CVE-2024-6763 [MEDIUM] CWE-1286 CVE-2024-6763: Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It inclu
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered inv
nvd