CVE-2025-1948
Aliases:GHSA-889j-63jv-qhr8
Advisory lineage Upstream: 0 Downstream: 9
Analyzed
Published: 08 May 2025, 17:48
Last modified:08 May 2025, 18:31
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
0.58% LOW
1% probability +0.45%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
08 May 2025, 17:48
Published
Vulnerability first disclosed
08 May 2025, 18:31
Last Modified
Vulnerability information updated
Description
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.58%• Percentile: 69%
Techniques & Countermeasures
- CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
Affected Systems
- eclipse foundation•jetty
≥ 12.0.0, ≤ 12.0.16
- eclipse•jetty
≥ 12.0.0, < 12.0.17
- org.eclipse.jetty.http2•jetty-http2-common
≥ 12.0.0, < 12.0.17
References (6)
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/56
- https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
- https://nvd.nist.gov/vuln/detail/CVE-2025-1948
- https://github.com/jetty/jetty.project/issues/12690
- https://github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bb
- https://github.com/jetty/jetty.project