CVE-2025-1948
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2025-1948
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | forky | fixed | 12.0.17-1 |
| debian | sid | fixed | 12.0.17-1 |
| debian | trixie | fixed | 12.0.17-1 |
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.eclipse.jetty.http2:jetty-http2-common | >=12.0.0,<12.0.17 | 12.0.17 |
References
- https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
- https://nvd.nist.gov/vuln/detail/CVE-2025-1948
- https://github.com/jetty/jetty.project/issues/12690
- https://github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bb
- https://github.com/jetty/jetty.project
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/56
- https://security-tracker.debian.org/tracker/CVE-2025-1948
Verify integrity in audit chain (admin only). AS-IS.