CVE-2025-5115

In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.

For example, a client can open a stream and then send WINDOWUPDATE frames with window size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-windowupdate , the server should send a RSTSTREAM frame. The client can now open another stream and send another bad WINDOWUPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.

The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.

Links:

https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h

References

Affected packages

Git / github.com/jetty/jetty.project

Affected ranges

Type: GIT
Repo: https://github.com/jetty/jetty.project
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

65a55c55a68c56d5f2e8232164439bd6e76e53d1

Fixed

7559873b6e46eea7c2c6da2b58327ea2ecf941f4

Fixed

8f1440587e9e4ae7db3d74cf205643f3d707148d

Fixed

a862b76d8372e24205765182d9ae1d1d333ce2ea

Fixed

c8372b65bd15404de1444d68902c0455a3a69b64

Affected versions

Other

PRE-MERGE-20120719-1138

jetty-10.*

jetty-10.0.0

jetty-10.0.0-alpha0

jetty-10.0.0.alpha1

jetty-10.0.0.beta1

jetty-10.0.0.beta2

jetty-10.0.0.beta3

jetty-10.0.1

jetty-10.0.13

jetty-10.0.15

jetty-10.0.16

jetty-10.0.17

jetty-10.0.18

jetty-10.0.19

jetty-10.0.2

jetty-10.0.20

jetty-10.0.22

jetty-10.0.23

jetty-10.0.24

jetty-10.0.25

jetty-10.0.4

jetty-10.0.5

jetty-10.0.6

jetty-10.0.7

jetty-10.0.8

jetty-11.*

jetty-11.0.0

jetty-11.0.0-alpha0

jetty-11.0.0.beta1

jetty-11.0.0.beta2

jetty-11.0.0.beta3

jetty-11.0.1

jetty-11.0.13

jetty-11.0.15

jetty-11.0.16

jetty-11.0.17

jetty-11.0.18

jetty-11.0.19

jetty-11.0.2

jetty-11.0.20

jetty-11.0.22

jetty-11.0.23

jetty-11.0.24

jetty-11.0.4

jetty-11.0.5

jetty-11.0.6

jetty-11.0.7

jetty-11.0.8

jetty-11.0.9

jetty-12.*

jetty-12.0.0.alpha3

jetty-12.0.0.beta1

jetty-12.0.0.beta2x

jetty-12.0.0.beta3

jetty-12.0.0.beta3x

jetty-12.0.0x

jetty-12.0.1

jetty-12.0.10

jetty-12.0.11

jetty-12.0.12

jetty-12.0.13

jetty-12.0.14

jetty-12.0.15

jetty-12.0.16

jetty-12.0.17

jetty-12.0.18

jetty-12.0.19

jetty-12.0.2

jetty-12.0.20

jetty-12.0.22

jetty-12.0.23

jetty-12.0.3

jetty-12.0.4

jetty-12.0.5

jetty-12.0.6

jetty-12.0.7

jetty-12.0.8

jetty-12.0.9

jetty-12.1.0.alpha0

jetty-12.1.0.beta1

jetty-7.*

jetty-7.4.4.v20110707

jetty-7.5.0.RC0

jetty-7.5.0.RC1

jetty-7.5.0.RC2

jetty-7.5.0.v20110901

jetty-7.5.1.v20110907

jetty-7.5.1.v20110908

jetty-7.5.2.v20111006

jetty-7.5.3.v20111011

jetty-7.5.4.v20111024

jetty-7.6.0.RC0

jetty-7.6.0.RC1

jetty-7.6.0.RC2

jetty-7.6.0.RC3

jetty-7.6.0.RC4

jetty-7.6.0.RC5

jetty-7.6.0.v20120125

jetty-7.6.0.v20120127

jetty-7.6.1.v20120215

jetty-7.6.10.v20130312

jetty-7.6.11.v20130520

jetty-7.6.11.v20130725

jetty-7.6.12.v20130726

jetty-7.6.13.v20130910

jetty-7.6.2.v20120302

jetty-7.6.2.v20120308

jetty-7.6.3.v20120413

jetty-7.6.3.v20120416

jetty-7.6.4.v20120522

jetty-7.6.4.v20120524

jetty-7.6.5.v20120713

jetty-7.6.5.v20120716

jetty-7.6.6.v20120903

jetty-7.6.7.v20120910

jetty-7.6.8.v20121106

jetty-7.6.9.v20130131

jetty-8.*

jetty-8.0.0.RC0

jetty-8.0.0.v20110901

jetty-8.0.1.v20110907

jetty-8.0.1.v20110908

jetty-8.0.2.v20111006

jetty-8.0.3.v20111011

jetty-8.0.4.v20111024

jetty-8.1.0.RC0

jetty-8.1.0.RC1

jetty-8.1.0.RC2

jetty-8.1.0.RC4

jetty-8.1.0.RC5

jetty-8.1.0.v20120125

jetty-8.1.0.v20120127

jetty-8.1.1.v20120215

jetty-8.1.10.v20130312

jetty-8.1.11.v20130520

jetty-8.1.12.v20130725

jetty-8.1.12.v20130726

jetty-8.1.13.v20130910

jetty-8.1.13.v20130916

jetty-8.1.2.v20120302

jetty-8.1.2.v20120308

jetty-8.1.3.v20120413

jetty-8.1.3.v20120416

jetty-8.1.4.v20120522

jetty-8.1.4.v20120524

jetty-8.1.5.v20120713

jetty-8.1.5.v20120716

jetty-8.1.6.v20120903

jetty-8.1.7.v20120910

jetty-8.1.8.v20121106

jetty-8.1.9.v20130131

jetty-9.*

jetty-9.0.0.M0

jetty-9.0.0.M1

jetty-9.0.0.M2

jetty-9.0.0.M3

jetty-9.0.0.M4

jetty-9.0.0.M5

jetty-9.0.0.RC0

jetty-9.0.0.RC1

jetty-9.0.0.RC2

jetty-9.0.0.RC3

jetty-9.0.0.v20130308

jetty-9.0.1.v20130408

jetty-9.0.2.v20130417

jetty-9.0.2.v20140415

jetty-9.0.3.v20130506

jetty-9.0.4.v20130621

jetty-9.0.4.v20130625

jetty-9.0.5.v20130813

jetty-9.0.5.v20130815

jetty-9.0.6.v20130919

jetty-9.0.6.v20130930

jetty-9.0.7.v20131031

jetty-9.0.7.v20131107

jetty-9.0.x

jetty-9.1.0.M0

jetty-9.1.0.RC0

jetty-9.1.0.RC1

jetty-9.1.0.RC2

jetty-9.1.0.v20131115

jetty-9.1.1.v20140108

jetty-9.1.2.v20140210

jetty-9.1.3.v20140225

jetty-9.1.4.v20140401

jetty-9.2.0.M0

jetty-9.2.0.M1

jetty-9.2.0.RC0

jetty-9.2.0.v20140523

jetty-9.2.0.v20140526

jetty-9.2.1.v20140609

jetty-9.2.10.v20150310

jetty-9.2.11.M0

jetty-9.2.11.v20150528

jetty-9.2.11.v20150529

jetty-9.2.12.M0

jetty-9.2.12.v20150709

jetty-9.2.13.v20150730

jetty-9.2.14.v20151106

jetty-9.2.15.v20160210

jetty-9.2.16.v20160414

jetty-9.2.17.v20160517

jetty-9.2.18.v20160721

jetty-9.2.19.v20160908

jetty-9.2.2.v20140723

jetty-9.2.20.v20161216

jetty-9.2.21.v20170120

jetty-9.2.22.v20170606

jetty-9.2.23.v20171218

jetty-9.2.24.v20180105

jetty-9.2.25.v20180606

jetty-9.2.26.v20180806

jetty-9.2.27.v20190403

jetty-9.2.28.v20190418

jetty-9.2.29.v20191105

jetty-9.2.3.v20140905

jetty-9.2.4.v20141103

jetty-9.2.5.v20141112

jetty-9.2.6.v20141203

jetty-9.2.6.v20141205

jetty-9.2.7.v20150116

jetty-9.2.8.v20150217

jetty-9.2.9.v20150224

jetty-9.3.0.M0

jetty-9.3.0.v20150612

jetty-9.3.1.v20150714

jetty-9.3.10.M0

jetty-9.3.10.v20160621

jetty-9.3.11.M0

jetty-9.3.11.v20160721

jetty-9.3.12.v20160915

jetty-9.3.13.M0

jetty-9.3.13.v20161014

jetty-9.3.14.v20161028

jetty-9.3.15.v20161220

jetty-9.3.16.v20170120

jetty-9.3.17.v20170317

jetty-9.3.18.v20170406

jetty-9.3.19.v20170502

jetty-9.3.20.v20170531

jetty-9.3.21.M0

jetty-9.3.21.v20170918

jetty-9.3.22.v20171030

jetty-9.3.23.v20180228

jetty-9.3.24.v20180605

jetty-9.3.25.v20180904

jetty-9.3.26.v20190403

jetty-9.3.27.v20190418

jetty-9.3.28.v20191105

jetty-9.3.3.v20150825

jetty-9.3.3.v20150827

jetty-9.3.4.v20151007

jetty-9.3.5.v20151012

jetty-9.3.6.v20151106

jetty-9.3.7.RC0

jetty-9.3.7.RC1

jetty-9.3.7.v20160115

jetty-9.3.8.RC0

jetty-9.3.8.v20160314

jetty-9.3.9.M1

jetty-9.3.9.v20160517

jetty-9.4.0.M1

jetty-9.4.0.RC0

jetty-9.4.0.RC1

jetty-9.4.0.RC2

jetty-9.4.0.RC3

jetty-9.4.0.v20161207

jetty-9.4.0.v20161208

jetty-9.4.1.v20170120

jetty-9.4.10.v20180503

jetty-9.4.11.v20180605

jetty-9.4.12.v20180830

jetty-9.4.13.v20181111

jetty-9.4.14.v20181114

jetty-9.4.15.v20190215

jetty-9.4.16.v20190411

jetty-9.4.17.v20190418

jetty-9.4.18.v20190429

jetty-9.4.19.v20190610

jetty-9.4.2.v20170220

jetty-9.4.20.v20190813

jetty-9.4.21.v20190926

jetty-9.4.22.v20191022

jetty-9.4.23.v20191118

jetty-9.4.24.v20191120

jetty-9.4.25.v20191220

jetty-9.4.26.v20200117

jetty-9.4.27.v20200227

jetty-9.4.28.v20200408

jetty-9.4.29.v20200521

jetty-9.4.3.v20170317

jetty-9.4.30.v20200611

jetty-9.4.31.v20200723

jetty-9.4.32.v20200930

jetty-9.4.33.v20201020

jetty-9.4.34.v20201102

jetty-9.4.35.v20201120

jetty-9.4.36.v20210114

jetty-9.4.37.v20210219

jetty-9.4.38.v20210224

jetty-9.4.39.v20210325

jetty-9.4.4.v20170414

jetty-9.4.40.v20210413

jetty-9.4.42.v20210604

jetty-9.4.43.v20210629

jetty-9.4.44.v20210927

jetty-9.4.45.v20220203

jetty-9.4.5.v20170502

jetty-9.4.50.v20221201

jetty-9.4.52.v20230823

jetty-9.4.53.v20231009

jetty-9.4.54.v20240208

jetty-9.4.55.v20240627

jetty-9.4.56.v20240826

jetty-9.4.57.v20241219

jetty-9.4.6.v20170531

jetty-9.4.7.v20170914

jetty-9.4.8.v20171121

jetty-9.4.9.v20180320

npn-api-1.*

npn-api-1.0.0.v20120402

npn-api-1.1.0.v20120525