Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-dev] CVE-2025-1948 - Jetty 12 - HTTP/2 clients can force excessive memory allocation on server

HTTP/2 clients can force excessive memory allocation on server

CVE: CVE-2025-1948
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Impactsorg.eclipse.jetty.http2:jetty-http2-common  >=12.0.0,<=12.0.16
Patched: 12.0.17 - Supported, and available on Maven Central
Weakness: CWE-400 - Uncontrolled Resource Consumption

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.

See: https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8 for details.

Credits to: https://github.com/bjorncs (reporter)

- Joakim Erdfelt


Back to the top