[jetty-dev] Announcing CVE-2025-5115 - HTTP/2 MadeYouReset vuln

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] Announcing CVE-2025-5115 - HTTP/2 MadeYouReset vuln

From: Joakim Erdfelt <joakim.erdfelt@xxxxxxxxx>
Date: Wed, 20 Aug 2025 15:31:24 -0500
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-dev/>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

If you have questions about this CVE, please use https://github.com/jetty/jetty.project/discussions/13491

This is public announcement for Eclipse Jetty CVE-2025-5115 related to the industry HTTP/2 MadeYouReset vulnerability CVE-2025-8671

Industry Vuln for MadeYouReset - https://kb.cert.org/vuls/id/767506
Industry CVE - CVE-2025-8671
Eclipse Jetty CVE - CVE-2025-5115
Eclipse Jetty Advisory - GHSA-mmxm-8w33-wc4h

Impacted packages:

Package Name	Versions Impacted	Fixed In
`org.eclipse.jetty.http2:http2-common`	>=9.3.0, <=9.4.57	9.4.58
`org.eclipse.jetty.http2:http2-common`	>=10.0.0, <=10.0.25	10.0.26
`org.eclipse.jetty.http2:http2-common`	>=11.0.0, <=11.0.25	11.0.26
`org.eclipse.jetty.http2:jetty-http2-common`	>=12.0.0, <=12.0.24	12.0.25
`org.eclipse.jetty.http2:jetty-http2-common`	>=12.1.0.alpha0, <=12.1.0.beta2	12.1.0.beta3

- Joakim

Prev by Date: [jetty-dev] Release of Eclipse Jetty 12.1.0
Previous by thread: [jetty-dev] Release of Eclipse Jetty 12.1.0
Index(es):
- Date
- Thread

Back to the top