LOW 3.7 Maven
org.eclipse.jetty:jetty-http has different parsing of invalid URIs
GHSA-wjpw-4j6x-6rwh · CVE-2025-11143
Published · Modified
Description
The Jetty URI parser has some key differences compared to other common parsers when evaluating invalid or unusual URIs. Specifically:
Invalid Scheme
| URI | Jetty | uri-js (nodejs) | node-url(nodejs) |
|---|---|---|---|
https>://vulndetector.com/path |
scheme=http> |
scheme=https |
invalid URI |
Improper IPv4 mapped IPv6
| URI | Jetty | System.Uri(CSharp) | curl(C) |
|---|---|---|---|
http://[0:0:0:0:0:ffff:127.0.0.1] |
invalid | host=[::ffff:127.0.0.1] |
host=[::ffff:127.0.0.1] |
http://[::ffff:255.255.0.0] |
invalid | host=[::ffff:255.255.0.0] |
host=[::ffff:255.255.0.0] |
Incorrect IPv6 delimeter priority
| URI | Jetty | urllib3(python) | furl(python) | Spring | chromium |
|---|---|---|---|---|---|
http://[normal.com@]vulndetector.com/ |
host=[normal.com@] |
invalid | invalid | ||
http://normal.com[user@vulndetector].com/ |
host=`[noirmal.com@vulndetector | host=normal.com |
invalid | ||
http://normal.com[@]vulndetector.com/ |
host=`normal.com[@] | host=normal.com |
invalid |
Incorrect delimeter priority
| URI | Jetty | urllib3(python) | jersey |
|---|---|---|---|
http://normal.com/#@vulndetector.com |
host=vulndetector.com |
host=normal.com |
host=normal.com |
http://normal.com/?@vulndetector.com |
host=vulndetector.com |
host=normal.com |
host=normal.com |
Impact
Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response.
At the very least, differential parsing may divulge implementation details.
Patches
Patched in Supported Open Source versions.
- 12.1.5 - Supported and available on Maven Central
- 12.0.31 - Supported and available on Maven Central
- 11.0.x - EOL Release, patches available on tuxcare and herodevs
- 10.0.x - EOL Release, patches available on tuxcare and herodevs
- 9.4.x - EOL Release, patches available on tuxcare and herodevs
Workarounds
None
Resources
References
- WEB https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-11143
- PACKAGE https://github.com/jetty/jetty.project
- WEB https://github.com/user-attachments/files/22222625/Java.Eclipse.Jetty.Report_.Incorrect.Parsing.Priority.of.the.IPv6.Hostname.Delimeter.pdf
- WEB https://github.com/user-attachments/files/22222626/Java.Eclipse.Jetty.Report_.The.Parsing.Priority.of.the.Delimiter.pdf
- WEB https://github.com/user-attachments/files/22222627/Java.Eclipse.Jetty.Report_.Parsing.Difference.Due.to.Deformed.Scheme.pdf
- WEB https://github.com/user-attachments/files/22222630/Java.Eclipse.Jetty.Report_.Improper.IPv4-mapped.IPv6.Parsing.pdf
Ready to move
Start Securing
Free, no credit card | First findings in minutes