Fluid Attacks Database

Description

org.eclipse.jetty:jetty-http has different parsing of invalid URIs The Jetty URI parser has some key differences compared to other common parsers when evaluating invalid or unusual URIs. Specifically:

Invalid Scheme

URI	Jetty	uri-js (nodejs)	node-url(nodejs)
`https>://vulndetector.com/path`	scheme=`http>`	scheme=`https`	invalid URI

Improper IPv4 mapped IPv6

URI	Jetty	System.Uri(CSharp)	curl(C)
`http://[0:0:0:0:0:ffff:127.0.0.1]`	invalid	host=`[::ffff:127.0.0.1]`	host=`[::ffff:127.0.0.1]`
`http://[::ffff:255.255.0.0]`	invalid	host=`[::ffff:255.255.0.0]`	host=`[::ffff:255.255.0.0]`

Incorrect IPv6 delimeter priority

URI	Jetty	urllib3(python)	furl(python)	Spring	chromium
`http://[normal.com@]vulndetector.com/`	host=`[normal.com@]`	invalid	invalid
`http://normal.com[user@vulndetector].com/`	host=`[noirmal.com@vulndetector			host=`normal.com`	invalid
`http://normal.com[@]vulndetector.com/`	host=`normal.com[@]			host=`normal.com`	invalid

Incorrect delimeter priority

URI	Jetty	urllib3(python)	jersey
`http://normal.com/#@vulndetector.com`	host=`vulndetector.com`	host=`normal.com`	host=`normal.com`
`http://normal.com/[email protected]`	host=`vulndetector.com`	host=`normal.com`	host=`normal.com`

Impact

Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

Patches

Patched in Supported Open Source versions.

12.1.5 - Supported and available on Maven Central

12.0.31 - Supported and available on Maven Central

11.0.x - EOL Release, patches available on tuxcare and herodevs

10.0.x - EOL Release, patches available on tuxcare and herodevs

9.4.x - EOL Release, patches available on tuxcare and herodevs

Workarounds

None

Resources

Java Eclipse Jetty Report_ Incorrect Parsing Priority of the IPv6 Hostname Delimeter.pdf

Java Eclipse Jetty Report_ The Parsing Priority of the Delimiter.pdf

Java Eclipse Jetty Report_ Parsing Difference Due to Deformed Scheme.pdf

Java Eclipse Jetty Report_ Improper IPv4-mapped IPv6 Parsing.pdf

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	jetty9	=9.4.57-1 \|\| =9.4.57-1.1 \|\| =9.4.57-1.1~deb12u1 \|\| =9.4.57-1.1~deb13u1 \|\| =9.4.58-1	-
debian 13	jetty12	=12.0.17-3 \|\| =12.0.17-3.1 \|\| =12.0.17-3.1~deb13u1 \|\| =12.0.32-1 \|\| =12.0.32-2 \|\| =12.0.33-1	-
debian 11	jetty9	=9.4.39-3 \|\| =9.4.39-3+deb11u1 \|\| =9.4.39-3+deb11u2 \|\| =9.4.44-1 \|\| =9.4.44-2 \|\| =9.4.44-3 \|\| =9.4.44-4 \|\| =9.4.45-1 \|\| =9.4.46-1 \|\| =9.4.48-1 \|\| =9.4.49-1 \|\| =9.4.49-1.1 \|\| =9.4.50-1 \|\| =9.4.50-1~bpo11+1 \|\| =9.4.50-2 \|\| =9.4.50-3 \|\| =9.4.50-4 \|\| =9.4.50-4+deb11u1 \|\| =9.4.50-4+deb11u2 \|\| =9.4.51-1 \|\| =9.4.51-2 \|\| =9.4.52-1 \|\| =9.4.53-1 \|\| =9.4.54-1 \|\| =9.4.55-1 \|\| =9.4.56-1 \|\| =9.4.57-0+deb11u1 \|\| =9.4.57-0+deb11u2 \|\| =9.4.57-0+deb11u3 \|\| =9.4.57-1 \|\| =9.4.57-1.1 \|\| =9.4.57-1.1~deb12u1 \|\| =9.4.57-1.1~deb13u1 \|\| =9.4.58-1	-
debian 14	jetty12	=12.0.17-3 \|\| =12.0.17-3.1 \|\| =12.0.17-3.1~deb13u1 \|\| >=0 <12.0.32-1	12.0.32-1
debian 14	jetty9	=9.4.57-1 \|\| =9.4.57-1.1 \|\| =9.4.57-1.1~deb12u1 \|\| =9.4.57-1.1~deb13u1 \|\| =9.4.58-1	-
maven	org.eclipse.jetty:jetty-http	>=9.4.0 <=9.4.58 \|\| >=10.0.0 <=10.0.26 \|\| >=11.0.0 <=11.0.26 \|\| >=12.0.0 <12.0.31 \|\| >=12.1.0 <12.1.5	12.0.31, 12.1.5
debian 12	jetty9	=9.4.50-4 \|\| =9.4.50-4+deb12u1 \|\| =9.4.50-4+deb12u2 \|\| =9.4.50-4+deb12u3 \|\| =9.4.51-1 \|\| =9.4.51-2 \|\| =9.4.52-1 \|\| =9.4.53-1 \|\| =9.4.54-1 \|\| =9.4.55-1 \|\| =9.4.56-1 \|\| =9.4.57-0+deb12u1 \|\| =9.4.57-1 \|\| =9.4.57-1.1 \|\| =9.4.57-1.1~deb12u1 \|\| =9.4.57-1.1~deb13u1 \|\| =9.4.58-1	-
rpm rhel9	jmc	-	-

Aliases

1. CVE-2025-111432. NVD-2025-111433. OSV-DEBIAN-2025-111434. OSV-2025-111435. GHSA-wjpw-4j6x-6rwh6. GCVE-2025-111437. SECURITY-TRACKER-CVE-2025-11143

References

1. https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh2. https://github.com/user-attachments/files/22222625/Java.Eclipse.Jetty.Report_.Incorrect.Parsing.Priority.of.the.IPv6.Hostname.Delimeter.pdf3. https://github.com/user-attachments/files/22222626/Java.Eclipse.Jetty.Report_.The.Parsing.Priority.of.the.Delimiter.pdf4. https://github.com/user-attachments/files/22222627/Java.Eclipse.Jetty.Report_.Parsing.Difference.Due.to.Deformed.Scheme.pdf5. https://github.com/user-attachments/files/22222630/Java.Eclipse.Jetty.Report_.Improper.IPv4-mapped.IPv6.Parsing.pdf