Skip to main content

CVE-2025-1948: CWE-400 Uncontrolled Resource Consumption in Eclipse Foundation Jetty

High
VulnerabilityCVE-2025-1948cvecve-2025-1948cwe-400
Published: Thu May 08 2025 (05/08/2025, 17:48:40 UTC)
Source: CVE
Vendor/Project: Eclipse Foundation
Product: Jetty

Description

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.

AI-Powered Analysis

AILast updated: 07/05/2025, 05:10:46 UTC

Technical Analysis

CVE-2025-1948 is a high-severity vulnerability affecting Eclipse Foundation's Jetty HTTP server versions 12.0.0 through 12.0.16. The flaw arises from improper validation of the HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE parameter sent by an HTTP/2 client. Specifically, the Jetty HTTP/2 server does not verify the size value provided by the client and attempts to allocate a ByteBuffer with the specified capacity to encode HTTP responses. If the client specifies an excessively large value, this can lead to uncontrolled resource consumption, resulting in an OutOfMemoryError or potentially causing the Java Virtual Machine (JVM) process to crash and exit unexpectedly. This vulnerability falls under CWE-400, which concerns uncontrolled resource consumption or exhaustion. The vulnerability can be exploited remotely without authentication or user interaction, as it only requires sending a crafted HTTP/2 request to the vulnerable server. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the ease of exploitation (network vector, no privileges or user interaction required) and the impact on availability (denial of service through resource exhaustion). No known exploits are currently reported in the wild, and no patches are listed yet, indicating that affected organizations should prioritize monitoring and mitigation efforts. The vulnerability specifically impacts HTTP/2 clients interacting with Jetty servers in the specified version range, which are commonly used in web applications and services requiring embedded HTTP servers or servlet containers.

Potential Impact

For European organizations, the primary impact of CVE-2025-1948 is a denial-of-service (DoS) condition that can disrupt availability of web services relying on vulnerable Jetty versions. This can lead to service outages, degraded user experience, and potential financial and reputational damage, especially for critical infrastructure, e-commerce platforms, and public-facing government services that depend on Jetty for HTTP/2 support. Since the vulnerability can be triggered remotely without authentication, attackers can exploit it at scale to cause widespread disruption. The absence of integrity or confidentiality impact means data theft or tampering is not a direct concern, but service unavailability can indirectly affect business continuity and trust. European organizations with high reliance on Jetty-based applications, particularly those exposed to the internet, are at risk of operational interruptions. Additionally, sectors such as finance, healthcare, and public administration, which require high availability and resilience, may face compliance and regulatory challenges if services are disrupted. The lack of known exploits in the wild provides a window for proactive mitigation, but the ease of exploitation necessitates urgent attention.

Mitigation Recommendations

To mitigate CVE-2025-1948, European organizations should: 1) Immediately inventory and identify all systems running Eclipse Jetty versions 12.0.0 to 12.0.16, focusing on those exposed to external HTTP/2 traffic. 2) Apply vendor patches or updates as soon as they become available; if no patches are yet released, consider upgrading to a non-affected version or temporarily disabling HTTP/2 support in Jetty configurations to prevent exploitation. 3) Implement network-level protections such as rate limiting and deep packet inspection on HTTP/2 traffic to detect and block anomalous SETTINGS_MAX_HEADER_LIST_SIZE values or unusually large header frames. 4) Employ Web Application Firewalls (WAFs) with custom rules to filter malformed or oversized HTTP/2 settings parameters. 5) Monitor server logs and JVM metrics for signs of memory exhaustion, crashes, or unusual HTTP/2 client behavior to enable early detection of exploitation attempts. 6) Conduct penetration testing and vulnerability scanning focused on HTTP/2 protocol handling to validate the effectiveness of mitigations. 7) Educate development and operations teams about this vulnerability to ensure secure coding and deployment practices for HTTP/2 services. These steps go beyond generic advice by emphasizing configuration changes, network filtering, and active monitoring tailored to the specific nature of this resource exhaustion vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
eclipse
Date Reserved
2025-03-04T13:55:56.722Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9818c4522896dcbd8228

Added to database: 5/21/2025, 9:08:40 AM

Last enriched: 7/5/2025, 5:10:46 AM

Last updated: 8/13/2025, 1:03:01 PM

Views: 18

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats