VYPR
High severityNVD Advisory· Published May 8, 2025· Updated May 8, 2025

Eclipse Jetty HTTP clients can increase memory allocation

CVE-2025-1948

Description

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.eclipse.jetty.http2:jetty-http2-commonMaven
>= 12.0.0, < 12.0.1712.0.17

Affected products

16

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.