High severityNVD Advisory· Published May 8, 2025· Updated May 8, 2025
Eclipse Jetty HTTP clients can increase memory allocation
CVE-2025-1948
Description
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty.http2:jetty-http2-commonMaven | >= 12.0.0, < 12.0.17 | 12.0.17 |
Affected products
16- osv-coords15 versionspkg:apk/chainguard/neo4j-2025.02pkg:apk/chainguard/neo4j-2025.02-docker-publishpkg:apk/chainguard/neo4j-2025.03pkg:apk/chainguard/neo4j-2025.03-docker-publishpkg:apk/chainguard/neo4j-5.26pkg:apk/chainguard/neo4j-5.26-docker-publishpkg:apk/chainguard/neo4j-5.26-oci-entrypointpkg:apk/wolfi/neo4j-2025.02pkg:apk/wolfi/neo4j-2025.02-docker-publishpkg:apk/wolfi/neo4j-2025.03pkg:apk/wolfi/neo4j-2025.03-docker-publishpkg:apk/wolfi/neo4j-5.26pkg:apk/wolfi/neo4j-5.26-docker-publishpkg:apk/wolfi/neo4j-5.26-oci-entrypointpkg:maven/org.eclipse.jetty.http2/jetty-http2-common
< 2025.02.0-r2+ 14 more
- (no CPE)range: < 2025.02.0-r2
- (no CPE)range: < 2025.02.0-r2
- (no CPE)range: < 2025.03.0-r2
- (no CPE)range: < 2025.03.0-r2
- (no CPE)range: < 5.26.6-r1
- (no CPE)range: < 5.26.6-r1
- (no CPE)range: < 5.26.6-r1
- (no CPE)range: < 2025.02.0-r2
- (no CPE)range: < 2025.02.0-r2
- (no CPE)range: < 2025.03.0-r2
- (no CPE)range: < 2025.03.0-r2
- (no CPE)range: < 5.26.6-r1
- (no CPE)range: < 5.26.6-r1
- (no CPE)range: < 5.26.6-r1
- (no CPE)range: >= 12.0.0, < 12.0.17
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-889j-63jv-qhr8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-1948ghsaADVISORY
- github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bbghsaWEB
- github.com/jetty/jetty.project/issues/12690ghsaWEB
- github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8ghsaWEB
- gitlab.eclipse.org/security/cve-assignement/-/issues/56ghsaWEB
News mentions
0No linked articles in our index yet.