[jetty-dev] CVE-2025-1948 - Jetty 12 - HTTP/2 clients can force excessiv

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] CVE-2025-1948 - Jetty 12 - HTTP/2 clients can force excessive memory allocation on server

From: Joakim Erdfelt <joakim.erdfelt@xxxxxxxxx>
Date: Thu, 8 May 2025 13:10:02 -0500
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-dev/>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

HTTP/2 clients can force excessive memory allocation on server

CVE: CVE-2025-1948

CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impacts: org.eclipse.jetty.http2:jetty-http2-common >=12.0.0,<=12.0.16

Patched: 12.0.17 - Supported, and available on Maven Central

Weakness: CWE-400 - Uncontrolled Resource Consumption

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.

See: https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8 for details.

Credits to: https://github.com/bjorncs (reporter)

- Joakim Erdfelt

Prev by Date: [jetty-dev] CVE-2024-13009 in EOL Jetty 9.4 - GzipHandler causes part of request body to be seen as request body of a separate request
Previous by thread: [jetty-dev] CVE-2024-13009 in EOL Jetty 9.4 - GzipHandler causes part of request body to be seen as request body of a separate request
Index(es):
- Date
- Thread

Breadcrumbs