CVE-2025-1948

NameCVE-2025-1948
DescriptionIn Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jetty12 (PTS)sid, trixie12.0.17-3fixed
jetty9 (PTS)bullseye9.4.50-4+deb11u2fixed
bullseye (security)9.4.57-0+deb11u2fixed
bookworm9.4.50-4+deb12u3fixed
bookworm (security)9.4.57-0+deb12u1fixed
sid, trixie9.4.57-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jettysource(unstable)(not affected)
jetty12source(unstable)12.0.17-1
jetty9source(unstable)(not affected)

Notes

- jetty9 <not-affected> (Only affects 12.x)
- jetty <not-affected> (Only affects 12.x)
https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
https://github.com/jetty/jetty.project/issues/12690
Search for package or bug name: Reporting problems