CVE-2025-1948

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.

Published: May 8, 2025
Updated: Aug 11, 2025
CVE: CVE-2025-1948
GHSA: GHSA-889j-63jv-qhr8
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
org.eclipse.jetty.http2 / jetty-http2-common	12.0.0	12.0.17
eclipse / jetty	12.0.0	12.0.17

https://github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bb
https://github.com/jetty/jetty.project/issues/12690
https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
https://gitlab.eclipse.org/security/cve-assignement/-/issues/56

Vulnerability Database

CVE-2025-1948

Deep Security Visibility Without the Complexity