Vulnerability Details CVE-2025-1948
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE.
The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 18.6%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2025-1948
-
cpe:2.3:a:eclipse:jetty:12.0.0
-
cpe:2.3:a:eclipse:jetty:12.0.1
-
cpe:2.3:a:eclipse:jetty:12.0.10
-
cpe:2.3:a:eclipse:jetty:12.0.11
-
cpe:2.3:a:eclipse:jetty:12.0.12
-
cpe:2.3:a:eclipse:jetty:12.0.13
-
cpe:2.3:a:eclipse:jetty:12.0.14
-
cpe:2.3:a:eclipse:jetty:12.0.15
-
cpe:2.3:a:eclipse:jetty:12.0.2
-
cpe:2.3:a:eclipse:jetty:12.0.3
-
cpe:2.3:a:eclipse:jetty:12.0.4
-
cpe:2.3:a:eclipse:jetty:12.0.5
-
cpe:2.3:a:eclipse:jetty:12.0.6
-
cpe:2.3:a:eclipse:jetty:12.0.7
-
cpe:2.3:a:eclipse:jetty:12.0.8
-
cpe:2.3:a:eclipse:jetty:12.0.9