CVE-2025-11143

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-11143
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11143.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-11143
Aliases
Downstream
Related
Published
2026-03-05T10:15:54.680Z
Modified
2026-03-12T17:34:03.029310Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

References

Affected packages

Git / github.com/eclipse/jetty.project

Affected ranges

Type
GIT
Repo
https://github.com/eclipse/jetty.project
Events
Introduced
bf9d17540c7ae4c91be30c045a9485aa2030d3e5
Last affected
8f1440587e9e4ae7db3d74cf205643f3d707148d
Introduced
b9645a17373e4e9b7f30b6c0a07defcea2cb660b
Last affected
65a55c55a68c56d5f2e8232164439bd6e76e53d1
Introduced
432f896d7a4555fcc81f38108757ea0aca8788e6
Last affected
7559873b6e46eea7c2c6da2b58327ea2ecf941f4
Introduced
28100e8da711e44c0722ed10bd413ae862497539
Fixed
5eb4a85cac542a4ad1f2b9d761f9c99f5ca9476e
Introduced
c8372b65bd15404de1444d68902c0455a3a69b64
Fixed
4905d09d7b6801e792d7b73946cf7b66e4be25d6
Database specific 
{
    "versions": [
        {
            "introduced": "9.4.0"
        },
        {
            "last_affected": "9.4.58"
        },
        {
            "introduced": "10.0.0"
        },
        {
            "last_affected": "10.0.26"
        },
        {
            "introduced": "11.0.0"
        },
        {
            "last_affected": "11.0.26"
        },
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "12.0.31"
        },
        {
            "introduced": "12.1.0"
        },
        {
            "fixed": "12.1.5"
        }
    ]
}

Affected versions

jetty-10.*
jetty-10.0.0
jetty-10.0.1
jetty-10.0.13
jetty-10.0.15
jetty-10.0.16
jetty-10.0.17
jetty-10.0.18
jetty-10.0.19
jetty-10.0.2
jetty-10.0.20
jetty-10.0.22
jetty-10.0.23
jetty-10.0.24
jetty-10.0.25
jetty-10.0.26
jetty-10.0.4
jetty-10.0.5
jetty-10.0.6
jetty-10.0.7
jetty-10.0.8
jetty-9.*
jetty-9.4.36.v20210114
jetty-9.4.37.v20210219
jetty-9.4.38.v20210224
jetty-9.4.39.v20210325
jetty-9.4.40.v20210413
jetty-9.4.42.v20210604
jetty-9.4.43.v20210629
jetty-9.4.44.v20210927
jetty-9.4.45.v20220203
jetty-9.4.50.v20221201
jetty-9.4.52.v20230823
jetty-9.4.53.v20231009
jetty-9.4.54.v20240208
jetty-9.4.55.v20240627
jetty-9.4.56.v20240826
jetty-9.4.57.v20241219

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11143.json"