CVE-2025-1948

Eclipse Jetty HTTP clients can increase memory allocation

Description

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.05%
Affected: Eclipse Foundation Jetty
Published at:
Updated at:

References

Link Tags
https://gitlab.eclipse.org/security/cve-assignement/-/issues/56
https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8

Frequently Asked Questions

What is the severity of CVE-2025-1948?
CVE-2025-1948 has been scored as a high severity vulnerability.
How to fix CVE-2025-1948?
To fix CVE-2025-1948, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-1948 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-1948 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-1948?
CVE-2025-1948 affects Eclipse Foundation Jetty.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.