Eclipse Jetty HTTP/2 client can force the server to allocate a humongous byte buffer that may lead to OoM and subsequently the JVM to exit

GHSA-889j-63jv-qhr8 · CVE-2025-1948

Published May 8, 2025 · Modified Feb 4, 2026

Description

Original Report

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.

Impact

Remote peers can cause the JVM to crash or continuously report OOM.

Patches

12.0.17

Workarounds

No workarounds.

References

https://github.com/jetty/jetty.project/issues/12690

References

WEB https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-1948
WEB https://github.com/jetty/jetty.project/issues/12690
WEB https://github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bb
PACKAGE https://github.com/jetty/jetty.project
WEB https://gitlab.eclipse.org/security/cve-assignement/-/issues/56

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes