[jetty-announce] CVE-2025-11143 - Jetty - Different parsing of invalid U

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-announce] CVE-2025-11143 - Jetty - Different parsing of invalid URIs

From: Olivier Lamy <olamy@xxxxxxxxxxx>
Date: Fri, 6 Mar 2026 16:29:05 +1000
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=koXM1MDjB9qZfNEg/3uPX3I8QPiDO6K/QgLf8bLQleU=; fh=haxXj6Tn9WljKufL/Wtu8ySs+eNIF6ZqM0D+JguQR0A=; b=FStRAeA1A0OfHb1cKpuxlfoe7OvFLcwyzw5v6ooRzhtZ5a11/1k3Xs02FKwYarvihS NnOR3VkvSmx5eCdXB6pxTkgv8GYbkn2yS3tUNwywvFqO+nFTzBp7/yYzL4U5xBwYZdNa ickQlCOVqpGPIzya+k7YHXlV682+JXCo970XGO1w5dEdGJv3jQ4OQVWmLcc/XARJyuGL SSwFDZ25kVNNG3VdnIPTKrpMS8M/f9bjAsAmuZqoJmh6M54ZMphelkIWrGVdbYtDiMwU Yeq0gxeNsfZ9LSwyunYZd53ACcC8lUO4vSOL6WJiihpCE8rB3WTWQR+SuzaKU+GqBCS3 D+gQ==; darn=eclipse.org
Arc-seal: i=1; a=rsa-sha256; t=1772778557; cv=none; d=google.com; s=arc-20240605; b=hVrD35ivy8UkBjN1B8VoIkrIt+3FLbBnp4E02gDpnvaqLKvUTqCSfrp4C2oPH/0dJ5 K/EkSEDvE8VnckxcdLXrPf7DpGAP34MXUws5H1ej0PcehYcOh1ULGRcdL5dCPA3N6ZYY fD8IP3IA5zmbtkgkGkk3CAzhGR1yaFzrwRDMYcN2c0gCxZLmbfLpEn6MUiQBNeny4pm6 LM6CvLDil/48PCmRH0yZuaLlqK1p1qj6knYMHFDK6256Flea20WZUO+e2GttNa/c9ZMa y8doAQMO0VN+r5cKt1vZCnRLrvYpBq10zNHQwEzcwfKc0jkgwjZIn4Qhfs6efTlHyIZ2 q0qQ==
Delivered-to: jetty-announce@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-announce/>
List-help: <mailto:jetty-announce-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-announce>, <mailto:jetty-announce-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-announce>, <mailto:jetty-announce-request@eclipse.org?subject=unsubscribe>

Eclipse Jetty Security Advisory - CVE-2025-11143

Severity: Low (CVSS 3.1)

Affected component: org.eclipse.jetty:jetty-http

Affected versions:
- 9.4.0 through 9.4.58
- 10.0.0 through 10.0.26
- 11.0.0 through 11.0.26
- 12.0.0 through 12.0.30
- 12.1.0 through 12.1.4

Fix available (supported open source versions):
- 12.0.31 (available on Maven Central)
- 12.1.5 (available on Maven Central)
- 9.4.x / 10.0.x / 11.0.x - EOL releases, patches available, see details https://webtide.com/end-of-life/

Description:

The Jetty URI parser has key differences to other common parsers when evaluating invalid or unusual URIs. These differences include handling of invalid schemes, improper IPv4-mapped IPv6 addresses,

incorrect IPv6 delimiter priority, and incorrect delimiter priority for # and ? characters relative to @.

Differential parsing of URIs in systems using multiple components may result in security bypass. For example, a component that enforces a blocklist may interpret URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

Weakness: CWE-20 (Improper Input Validation)

Workaround: None.

Credit: https://github.com/zer0yu, https://github.com/P3ngu1nW, https://github.com/9vvert

For full technical details, consult the GitHub security advisory:
https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh

The Eclipse Jetty Team

Prev by Date: [jetty-announce] CVE-2026-1605 - Jetty 12 - Gzip request memory leak leads to OOM
Previous by thread: [jetty-announce] CVE-2026-1605 - Jetty 12 - Gzip request memory leak leads to OOM
Index(es):
- Date
- Thread

Breadcrumbs