CVE-2025-1948
May 8, 2025, 6:15 p.m.
7.5
High
Description
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE.
The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Eclipse |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-400
Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | eclipse | jetty | 12.0.0-12.0.16 | / | / | / | / | / | / | / |
Tags
CVSS Score
CVSS Data - 3.1
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- Scope: UNCHANGED
- Confidentiality Impact: NONE
- Integrity Impact: NONE
- Availability Impact: HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Timeline
Published: May 8, 2025, 6:15 p.m.
Last Modified: May 8, 2025, 6:15 p.m.
Last Modified: May 8, 2025, 6:15 p.m.
Status : Received
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
emo@eclipse.org
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.