CVE-2025-1948: CWE-400 Uncontrolled Resource Consumption in Eclipse Foundation Jetty
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
AI Analysis
Technical Summary
CVE-2025-1948 is a high-severity vulnerability affecting Eclipse Foundation's Jetty HTTP server versions 12.0.0 through 12.0.16. The flaw arises from improper validation of the HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE parameter sent by an HTTP/2 client. Specifically, the Jetty HTTP/2 server does not verify the size value provided by the client and attempts to allocate a ByteBuffer with the specified capacity to encode HTTP responses. If the client specifies an excessively large value, this can lead to uncontrolled resource consumption, resulting in an OutOfMemoryError or potentially causing the Java Virtual Machine (JVM) process to crash and exit unexpectedly. This vulnerability falls under CWE-400, which concerns uncontrolled resource consumption or exhaustion. The vulnerability can be exploited remotely without authentication or user interaction, as it only requires sending a crafted HTTP/2 request to the vulnerable server. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the ease of exploitation (network vector, no privileges or user interaction required) and the impact on availability (denial of service through resource exhaustion). No known exploits are currently reported in the wild, and no patches are listed yet, indicating that affected organizations should prioritize monitoring and mitigation efforts. The vulnerability specifically impacts HTTP/2 clients interacting with Jetty servers in the specified version range, which are commonly used in web applications and services requiring embedded HTTP servers or servlet containers.
Potential Impact
For European organizations, the primary impact of CVE-2025-1948 is a denial-of-service (DoS) condition that can disrupt availability of web services relying on vulnerable Jetty versions. This can lead to service outages, degraded user experience, and potential financial and reputational damage, especially for critical infrastructure, e-commerce platforms, and public-facing government services that depend on Jetty for HTTP/2 support. Since the vulnerability can be triggered remotely without authentication, attackers can exploit it at scale to cause widespread disruption. The absence of integrity or confidentiality impact means data theft or tampering is not a direct concern, but service unavailability can indirectly affect business continuity and trust. European organizations with high reliance on Jetty-based applications, particularly those exposed to the internet, are at risk of operational interruptions. Additionally, sectors such as finance, healthcare, and public administration, which require high availability and resilience, may face compliance and regulatory challenges if services are disrupted. The lack of known exploits in the wild provides a window for proactive mitigation, but the ease of exploitation necessitates urgent attention.
Mitigation Recommendations
To mitigate CVE-2025-1948, European organizations should: 1) Immediately inventory and identify all systems running Eclipse Jetty versions 12.0.0 to 12.0.16, focusing on those exposed to external HTTP/2 traffic. 2) Apply vendor patches or updates as soon as they become available; if no patches are yet released, consider upgrading to a non-affected version or temporarily disabling HTTP/2 support in Jetty configurations to prevent exploitation. 3) Implement network-level protections such as rate limiting and deep packet inspection on HTTP/2 traffic to detect and block anomalous SETTINGS_MAX_HEADER_LIST_SIZE values or unusually large header frames. 4) Employ Web Application Firewalls (WAFs) with custom rules to filter malformed or oversized HTTP/2 settings parameters. 5) Monitor server logs and JVM metrics for signs of memory exhaustion, crashes, or unusual HTTP/2 client behavior to enable early detection of exploitation attempts. 6) Conduct penetration testing and vulnerability scanning focused on HTTP/2 protocol handling to validate the effectiveness of mitigations. 7) Educate development and operations teams about this vulnerability to ensure secure coding and deployment practices for HTTP/2 services. These steps go beyond generic advice by emphasizing configuration changes, network filtering, and active monitoring tailored to the specific nature of this resource exhaustion vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland, Belgium, Finland
CVE-2025-1948: CWE-400 Uncontrolled Resource Consumption in Eclipse Foundation Jetty
Description
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
AI-Powered Analysis
Technical Analysis
CVE-2025-1948 is a high-severity vulnerability affecting Eclipse Foundation's Jetty HTTP server versions 12.0.0 through 12.0.16. The flaw arises from improper validation of the HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE parameter sent by an HTTP/2 client. Specifically, the Jetty HTTP/2 server does not verify the size value provided by the client and attempts to allocate a ByteBuffer with the specified capacity to encode HTTP responses. If the client specifies an excessively large value, this can lead to uncontrolled resource consumption, resulting in an OutOfMemoryError or potentially causing the Java Virtual Machine (JVM) process to crash and exit unexpectedly. This vulnerability falls under CWE-400, which concerns uncontrolled resource consumption or exhaustion. The vulnerability can be exploited remotely without authentication or user interaction, as it only requires sending a crafted HTTP/2 request to the vulnerable server. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the ease of exploitation (network vector, no privileges or user interaction required) and the impact on availability (denial of service through resource exhaustion). No known exploits are currently reported in the wild, and no patches are listed yet, indicating that affected organizations should prioritize monitoring and mitigation efforts. The vulnerability specifically impacts HTTP/2 clients interacting with Jetty servers in the specified version range, which are commonly used in web applications and services requiring embedded HTTP servers or servlet containers.
Potential Impact
For European organizations, the primary impact of CVE-2025-1948 is a denial-of-service (DoS) condition that can disrupt availability of web services relying on vulnerable Jetty versions. This can lead to service outages, degraded user experience, and potential financial and reputational damage, especially for critical infrastructure, e-commerce platforms, and public-facing government services that depend on Jetty for HTTP/2 support. Since the vulnerability can be triggered remotely without authentication, attackers can exploit it at scale to cause widespread disruption. The absence of integrity or confidentiality impact means data theft or tampering is not a direct concern, but service unavailability can indirectly affect business continuity and trust. European organizations with high reliance on Jetty-based applications, particularly those exposed to the internet, are at risk of operational interruptions. Additionally, sectors such as finance, healthcare, and public administration, which require high availability and resilience, may face compliance and regulatory challenges if services are disrupted. The lack of known exploits in the wild provides a window for proactive mitigation, but the ease of exploitation necessitates urgent attention.
Mitigation Recommendations
To mitigate CVE-2025-1948, European organizations should: 1) Immediately inventory and identify all systems running Eclipse Jetty versions 12.0.0 to 12.0.16, focusing on those exposed to external HTTP/2 traffic. 2) Apply vendor patches or updates as soon as they become available; if no patches are yet released, consider upgrading to a non-affected version or temporarily disabling HTTP/2 support in Jetty configurations to prevent exploitation. 3) Implement network-level protections such as rate limiting and deep packet inspection on HTTP/2 traffic to detect and block anomalous SETTINGS_MAX_HEADER_LIST_SIZE values or unusually large header frames. 4) Employ Web Application Firewalls (WAFs) with custom rules to filter malformed or oversized HTTP/2 settings parameters. 5) Monitor server logs and JVM metrics for signs of memory exhaustion, crashes, or unusual HTTP/2 client behavior to enable early detection of exploitation attempts. 6) Conduct penetration testing and vulnerability scanning focused on HTTP/2 protocol handling to validate the effectiveness of mitigations. 7) Educate development and operations teams about this vulnerability to ensure secure coding and deployment practices for HTTP/2 services. These steps go beyond generic advice by emphasizing configuration changes, network filtering, and active monitoring tailored to the specific nature of this resource exhaustion vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- eclipse
- Date Reserved
- 2025-03-04T13:55:56.722Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9818c4522896dcbd8228
Added to database: 5/21/2025, 9:08:40 AM
Last enriched: 7/5/2025, 5:10:46 AM
Last updated: 8/13/2025, 1:03:01 PM
Views: 18
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.