CVE-2025-5115

Published Aug 20, 2025

Last updated 3 months ago

CVSS high 7.7

Overview

Description
In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame. The client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time. The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame. Links: * https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
Source
emo@eclipse.org
NVD status
Analyzed
Products
jetty

Risk scores

CVSS 4.0

Type
Secondary
Base score
7.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

emo@eclipse.org
CWE-400

Social media

Hype score
Not currently trending

  1. ⚠️Vulnerabilidad en productos Jenkins ❗CVE-2025-5115 ➡️Más info: https://t.co/ntk4JvQQTL https://t.co/mU9SCRguLA

    @CERTpy

    26 Sept 2025

    82 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. URGENT: Patch #SUSE Linux now for CVE-2025-5115! CVSS: 8.7 - Critical HTTP/2 DoS vuln in jetty-minimal. Read more: 👉 https://t.co/C5hCwoKGxk #Security https://t.co/AFmIdmNgyb

    @Cezar_H_Linux

    28 Aug 2025

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. openSUSE: jetty-annotations Moderate CVE-2025-5115 Advisory 2025:15483-1 https://t.co/YO2Z8c0XNl

    @zeeshankghouri

    25 Aug 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Security Advisory: #openSUSE Tumbleweed has released a patch for CVE-2025-5115, a moderate vulnerability in the jetty-annotations package (v9.4.58-1.1). Read more: 👉 https://t.co/kgWSU4RoCQ #Security https://t.co/SpSrFswQmL

    @Cezar_H_Linux

    24 Aug 2025

    70 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Hey Open Source Community! 👋 A new security update is available for #openSUSE Tumbleweed users. The latest patch addresses a moderate-severity vulnerability (CVE-2025-5115) in the Jetty web server's annotations module. Read more:👉 https://t.co/RAAVsqcj00 #Security https:/

    @Cezar_H_Linux

    24 Aug 2025

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-5115 In Eclipse Jetty, versions &lt;=9.4.57, &lt;=10.0.25, &lt;=11.0.25, &lt;=12.0.21, &lt;=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by… https://t.co/9D4KNVzGUu

    @CVEnew

    21 Aug 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-5115 HTTP/2 Resource Exhaustion Vulnerability in Eclipse Jetty Versions &lt;=12.1.0.alpha2 https://t.co/JvXmmq4a1W

    @VulmonFeeds

    20 Aug 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.CVE-2026-5795
  2. In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.CVE-2026-1605
  3. The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.CVE-2025-11143
  4. In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.CVE-2025-1948
  5. In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.CVE-2024-13009

References

Sources include official advisories and independent security research.