OutOfMemoryError for large multipart without filename in Eclipse Jetty
Description
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of fileSizeThreshold=0 which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter maxRequestSize which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jetty servlet multipart parsing can trigger OutOfMemoryError when a large part with a name but no filename is sent, even with streaming configured.
Vulnerability
CVE-2023-26048 is a denial-of-service vulnerability in Eclipse Jetty, affecting servlets configured for multipart processing (e.g., annotated with @MultipartConfig). When HttpServletRequest.getParameter() or HttpServletRequest.getParts() is invoked on a multipart request containing a part that has a name but no filename and a very large content, Jetty may throw an OutOfMemoryError. This occurs even when the default fileSizeThreshold=0 is set, which should normally cause the entire part content to be streamed to disk rather than held in memory [1].
Exploitation
An attacker can exploit this by sending a crafted multipart request with one part that satisfies the name/no-filename condition and carries an extremely large payload. No authentication is required; the issue can be triggered remotely through a standard HTTP request to any vulnerable endpoint with multipart handling enabled [1]. The server may eventually recover after the OutOfMemoryError, but service disruption and degraded performance will occur during the recovery period.
Impact
The primary impact is denial of service (DoS) – the JVM's heap is exhausted, leading to an OutOfMemoryError. Although the server can continue after recovery, the attack consumes resources and can cause temporary unavailability of the affected application [1].
Mitigation
Patches are available in Jetty versions 9.4.51, 10.0.14, and 11.0.14 [1]. Users unable to upgrade immediately can mitigate the issue by setting the multipart parameter maxRequestSize to a non-negative value, which limits the total size of the multipart content (though it remains read into memory) [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-serverMaven | < 9.4.51.v20230217 | 9.4.51.v20230217 |
org.eclipse.jetty:jetty-serverMaven | >= 10.0.0, < 10.0.14 | 10.0.14 |
org.eclipse.jetty:jetty-serverMaven | >= 11.0.0, < 11.0.14 | 11.0.14 |
Affected products
13- osv-coords12 versionspkg:apk/chainguard/cassandra-reaperpkg:apk/chainguard/hivepkg:apk/chainguard/hive-compatpkg:apk/chainguard/kafkapkg:apk/wolfi/cassandra-reaperpkg:apk/wolfi/kafkapkg:maven/org.eclipse.jetty/jetty-serverpkg:rpm/opensuse/jetty-minimal&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/jetty-minimal&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3
< 4.0.1-r1+ 11 more
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 3.4.0-r2
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 3.4.0-r2
- (no CPE)range: < 9.4.51.v20230217
- (no CPE)range: < 9.4.51-150200.3.19.2
- (no CPE)range: < 9.4.51-150200.3.19.2
- (no CPE)range: < 9.4.51-150200.3.19.2
- (no CPE)range: < 9.4.51-150200.3.19.2
- (no CPE)range: < 9.4.51-150200.3.19.2
- eclipse/jetty.projectv5Range: < 9.4.51
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-qw69-rqj8-6qw8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26048ghsaADVISORY
- github.com/eclipse/jetty.project/issues/9076ghsax_refsource_MISCWEB
- github.com/eclipse/jetty.project/pull/9344ghsax_refsource_MISCWEB
- github.com/eclipse/jetty.project/pull/9345ghsax_refsource_MISCWEB
- github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217ghsaWEB
- github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8ghsax_refsource_CONFIRMWEB
- github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adocghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2023/09/msg00039.htmlghsaWEB
- security.netapp.com/advisory/ntap-20230526-0001ghsaWEB
- www.debian.org/security/2023/dsa-5507ghsaWEB
- security.netapp.com/advisory/ntap-20230526-0001/mitre
News mentions
0No linked articles in our index yet.