Maven package
org.eclipse.jetty.http2/jetty-http2-common
pkg:maven/org.eclipse.jetty.http2/jetty-http2-common
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-5115 | — | >= 12.0.0, < 12.0.25 | 12.0.25 | Aug 20, 2025 | In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th | ||
| CVE-2025-1948 | — | >= 12.0.0, < 12.0.17 | 12.0.17 | May 8, 2025 | In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the sp | ||
| CVE-2024-22201 | — | >= 12.0.0, < 12.0.6 | 12.0.6 | Feb 26, 2024 | Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | >= 12.0.0, < 12.0.2 | 12.0.2 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
- CVE-2025-5115Aug 20, 2025affected >= 12.0.0, < 12.0.25fixed 12.0.25
In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th
- CVE-2025-1948May 8, 2025affected >= 12.0.0, < 12.0.17fixed 12.0.17
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the sp
- CVE-2024-22201Feb 26, 2024affected >= 12.0.0, < 12.0.6fixed 12.0.6
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing
- affected >= 12.0.0, < 12.0.2fixed 12.0.2
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.