HTTP/2 Resource Consumption Vulnerability in Eclipse Jetty
CVE-2025-5115

7.7HIGH

Key Information:

Vendor

Eclipse Jetty

Status
Eclipse Jetty
Vendor
CVE Published:
20 August 2025

What is CVE-2025-5115?

In Eclipse Jetty, an HTTP/2 client can exploit a vulnerability by sending malformed WINDOW_UPDATE frames, prompting the server to send RST_STREAM frames in response. This behavior allows a client to open multiple streams and send additional bad frames, leading the server to consume excessive CPU and memory resources without exceeding the allowed number of concurrent streams. Attack scenarios can include sending DATA frames for closed streams, further intensifying resource utilization on the server.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Eclipse Jetty >=9.3.0 <= 9.3.0

Eclipse Jetty >=10.0.0 <= 10.0.0

Eclipse Jetty >=11.0.0 <= 11.0.0

References

https://github.com/jetty/jetty.project/security/advisorie...
issue-tracking
https://github.com/jetty/jetty.project/pull/13449
patch
https://github.com/jetty/jetty.project/releases/tag/jetty...
release-notes

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.