CVE-2025-11143
Description
The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jetty's URI parser differs from other parsers on invalid URIs, enabling security bypass via differential parsing between components.
Vulnerability
Details
The Jetty URI parser exhibits key differences from other common parsers when evaluating invalid or unusual URIs [1][3]. This behavior is not a single code defect but a design divergence where Jetty interprets malformed URIs differently than parsers used in other components. For instance, a URI with an invalid scheme like https>://vulndetector.com/path is parsed by Jetty as having scheme http>, whereas other parsers see scheme https or reject the URI entirely [3]. Similarly, Jetty incorrectly handles IPv6 addresses, for example recognizing http://[0:0:0:0:0:ffff:127.0.0.1] as invalid while others treat it as a valid IPv4-mapped IPv6 address [3]. Other parsing differences include incorrect treatment of delimiters such as #, ?, and @ in URIs, leading to different host extraction [3].
Exploitation
Prerequisites
To exploit this vulnerability, an attacker would need to craft a URI that Jetty interprets differently than another system component, such as a security gateway, firewall, or a separate application module that performs its own URI validation [1]. The attack does not require authentication against the Jetty server itself, but relies on the differential interpretation occurring within a multi-component system. The attacker must be able to submit requests that traverse multiple URI-parsing components, where one component (e.g., an ACL) blacklists certain hosts or paths based on its parser, while Jetty's parser sees a different host or path [1][3].
Impact
The primary impact is a security bypass [1][3]. For example, a blacklist component may reject requests to vulndetector.com, but Jetty's parser may extract a different host from the same URI, allowing the request to proceed to a blocked destination. This can lead to access control bypass, request smuggling, or server-side request forgery (SSRF) depending on system architecture. At a minimum, the differential parsing can leak implementation details, aiding attackers in further reconnaissance [1].
Mitigation
Patches have been released for supported open-source versions: Jetty 12.1.x is fixed in version 12.1.5, and Jetty 12.0.x is fixed in version 12.0.31 [3]. For the ends-of-life (EOL) release lines 9.4.x, 10.0.x, and 11.0.x, patches are available via commercial support from TuxCare and HeroDevs [3]. Administrators should upgrade to a patched version or apply the vendor-provided workaround. Until patched, additional input validation in a trusted intermediary may mitigate the differential parsing issue.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-httpMaven | >= 9.4.0, <= 9.4.58 | — |
org.eclipse.jetty:jetty-httpMaven | >= 10.0.0, <= 10.0.26 | — |
org.eclipse.jetty:jetty-httpMaven | >= 11.0.0, <= 11.0.26 | — |
org.eclipse.jetty:jetty-httpMaven | >= 12.0.0, < 12.0.31 | 12.0.31 |
org.eclipse.jetty:jetty-httpMaven | >= 12.1.0, < 12.1.5 | 12.1.5 |
Affected products
1- Eclipse Foundation/Eclipse Jettyv5Range: 9.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.