OutOfMemoryError in Eclipse Jetty due to Improper HTTP/2 Header List Size Validation
CVE-2025-1948

7.5HIGH

Key Information:

Vendor
Eclipse Foundation
Status
Jetty
Vendor
CVE Published:
8 May 2025

Summary

In versions 12.0.0 through 12.0.16 of Eclipse Jetty, a flaw occurs when the HTTP/2 client sends an excessively large SETTINGS_MAX_HEADER_LIST_SIZE. Due to a lack of validation, the Jetty HTTP/2 server attempts to allocate a ByteBuffer of the specified size for encoding HTTP responses. This can potentially lead to an OutOfMemoryError or cause the JVM process to terminate unexpectedly.

Affected Version(s)

Jetty 12.0.0 <= 12.0.16

References

https://gitlab.eclipse.org/security/cve-assignement/-/iss...
https://github.com/jetty/jetty.project/security/advisorie...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-1948 : OutOfMemoryError in Eclipse Jetty due to Improper HTTP/2 Header List Size Validation | SecurityVulnerability.io