Uncontrolled Resource Consumption in org.eclipse.jetty.http2:http2-common
CVE-2025-1948
- org.eclipse.jetty.http2:http2-common
- org.eclipse.jetty.http2:jetty-http2-common
Summary
In Eclipse Jetty, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter "SETTINGS_MAX_HEADER_LIST_SIZE". The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a Byte Buffer of the specified capacity to encode HTTP responses, likely resulting in an Out of Memory Error being thrown, or even the JVM process exiting. This vulnerability affects 12.0.0.alpha0 through 12.0.16 and 12.1.0.alpha0 through 12.1.0.alpha1, and org.eclipse.jetty.http2:http2-common package versions 9.3.12.v20160915 through 9.3.30.v20211001, and 9.4.0.M1 through 11.0.25.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-400 - Uncontrolled resource consumption
An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.
References
Advisory Timeline
- Published
