High severityNVD Advisory· Published May 8, 2025· Updated May 8, 2025
Eclipse Jetty HTTP clients can increase memory allocation
CVE-2025-1948
Description
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty.http2:jetty-http2-commonMaven | >= 12.0.0, < 12.0.17 | 12.0.17 |
Affected products
1Patches
11 file changed · +1 −0
jetty-core/jetty-http2/jetty-http2-tests/src/test/java/org/eclipse/jetty/http2/tests/HTTP2Test.java+1 −0 modified@@ -1315,6 +1315,7 @@ public boolean handle(Request request, Response response, Callback callback) }, httpConfig); connector.getBean(AbstractHTTP2ServerConnectionFactory.class).setMaxFrameSize(17 * 1024); http2Client.setMaxFrameSize(18 * 1024); + http2Client.setMaxRequestHeadersSize(2 * maxHeadersSize); // Wait for the SETTINGS frame to be exchanged. CountDownLatch settingsLatch = new CountDownLatch(1);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-889j-63jv-qhr8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-1948ghsaADVISORY
- github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bbghsaWEB
- github.com/jetty/jetty.project/issues/12690ghsaWEB
- github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8ghsaWEB
- gitlab.eclipse.org/security/cve-assignement/-/issues/56ghsaWEB
News mentions
0No linked articles in our index yet.