GHSA-7p63-w6x9-6gr7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7p63-w6x9-6gr7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-7p63-w6x9-6gr7/GHSA-7p63-w6x9-6gr7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7p63-w6x9-6gr7
- Aliases
-
- CVE-2025-12383
- Downstream
- Related
- Published
- 2025-11-18T18:32:51Z
- Modified
- 2025-11-20T10:42:44.522270Z
- Severity
-
- 9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N CVSS Calculator
- Summary
- Eclipse Jersey has a Race Condition
- Details
-
In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)
- Database specific
{ "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-362" ], "nvd_published_at": "2025-11-18T16:15:42Z", "github_reviewed_at": "2025-11-18T20:38:31Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-12383
- https://github.com/eclipse-ee4j/jersey/pull/5749
- https://github.com/eclipse-ee4j/jersey/pull/5794
- https://github.com/eclipse-ee4j/jersey/commit/425bc883d8d623ef8d3c448fafd36729f7741bcb
- https://github.com/eclipse-ee4j/jersey/commit/b2c7ba6d388cb9722f39073d7e82aa818fec49d5
- https://github.com/dtbaum/jerseyCveCandidate
- https://github.com/eclipse-ee4j/jersey
- https://github.com/eclipse-ee4j/jersey/releases/tag/2.46
- https://github.com/eclipse-ee4j/jersey/releases/tag/3.0.17
- https://github.com/eclipse-ee4j/jersey/releases/tag/3.1.10
- https://github.com/eclipse-ee4j/jersey/releases/tag/4.0.0-M2
- https://gitlab.eclipse.org/security/cve-assignment/-/issues/74
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/253
Affected packages
Maven
org.glassfish.jersey.core:jersey-client
Package
- Name
- org.glassfish.jersey.core:jersey-client
- View open source insights on deps.dev
- Purl
- pkg:maven/org.glassfish.jersey.core/jersey-client
org.glassfish.jersey.core:jersey-client
Package
- Name
- org.glassfish.jersey.core:jersey-client
- View open source insights on deps.dev
- Purl
- pkg:maven/org.glassfish.jersey.core/jersey-client
org.glassfish.jersey.core:jersey-client
Package
- Name
- org.glassfish.jersey.core:jersey-client
- View open source insights on deps.dev
- Purl
- pkg:maven/org.glassfish.jersey.core/jersey-client