CVE-2025-1948

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGSMAXHEADERLISTSIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.

References

Affected packages

Debian:13 / jetty12

Package

Name: jetty12
Purl: pkg:deb/debian/jetty12?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.0.17-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/eclipse/jetty.project

Affected ranges

Type: GIT
Repo: https://github.com/eclipse/jetty.project
Events: Introduced

28100e8da711e44c0722ed10bd413ae862497539

Fixed

14d19c268e4cb09afc312b5255a4cbb7a95c5cb6

Affected versions

jetty-10.*

jetty-10.0.16

jetty-10.0.17

jetty-10.0.18

jetty-10.0.19

jetty-10.0.20

jetty-10.0.22

jetty-10.0.23

jetty-10.0.24

jetty-11.*

jetty-11.0.16

jetty-11.0.17

jetty-11.0.18

jetty-11.0.19

jetty-11.0.20

jetty-11.0.22

jetty-11.0.23

jetty-11.0.24

jetty-12.*

jetty-12.0.0x

jetty-12.0.1

jetty-12.0.10

jetty-12.0.11

jetty-12.0.12

jetty-12.0.13

jetty-12.0.14

jetty-12.0.15

jetty-12.0.16

jetty-12.0.2

jetty-12.0.3

jetty-12.0.4

jetty-12.0.5

jetty-12.0.6

jetty-12.0.7

jetty-12.0.8

jetty-12.0.9