logo

Database

Improper resource allocation In jetty12

Description

Eclipse Jetty HTTP/2 client can force the server to allocate a humongous byte buffer that may lead to OoM and subsequently the JVM to exit

Original Report

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.

Impact

Remote peers can cause the JVM to crash or continuously report OOM.

Patches

12.0.17

Workarounds

No workarounds.

References

https://github.com/jetty/jetty.project/issues/12690

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-19482. NVD-2025-19483. OSV-DEBIAN-2025-19484. OSV-2025-19485. GHSA-889j-63jv-qhr86. GCVE-2025-19487. SECURITY-TRACKER-CVE-2025-1948

References

1. https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr82. https://github.com/jetty/jetty.project/issues/126903. https://github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bb4. https://gitlab.eclipse.org/security/cve-assignement/-/issues/56

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.