GHSA-889j-63jv-qhr8

Suggest an improvement
Source
https://github.com/advisories/GHSA-889j-63jv-qhr8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-889j-63jv-qhr8/GHSA-889j-63jv-qhr8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-889j-63jv-qhr8
Aliases
Related
Published
2025-05-08T19:28:45Z
Modified
2025-05-08T19:57:34.290869Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Eclipse Jetty HTTP/2 client can force the server to allocate a humongous byte buffer that may lead to OoM and subsequently the JVM to exit
Details

Original Report

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGSMAXHEADERLISTSIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.

Impact

Remote peers can cause the JVM to crash or continuously report OOM.

Patches

12.0.17

Workarounds

No workarounds.

References

https://github.com/jetty/jetty.project/issues/12690

Database specific 
{
    "nvd_published_at": "2025-05-08T18:15:41Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-08T19:28:45Z"
}
References

Affected packages

Maven / org.eclipse.jetty.http2:jetty-http2-common

Package

Name
org.eclipse.jetty.http2:jetty-http2-common
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty.http2/jetty-http2-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0
Fixed
12.0.17

Affected versions

12.*

12.0.0
12.0.1
12.0.2
12.0.3
12.0.4
12.0.5
12.0.6
12.0.7
12.0.8
12.0.9
12.0.10
12.0.11
12.0.12
12.0.13
12.0.14
12.0.15
12.0.16

Database specific 

{
    "last_known_affected_version_range": "<= 12.0.16"
}