Primary

Context

Eclipse Jetty Gzip Buffer Release Vulnerability Allowing Data Corruption and Leakage Between Requests

Vulnerability

Patched

A vulnerability exists in Eclipse Jetty versions 9.4.0 prior to 9.4.56, where a buffer may be improperly released after a gzip error occurs while inflating a request body. This flaw can lead to data corruption and unintended sharing of request body data between different requests. The issue has been linked to Jetty's GzipHandler, which, under certain conditions, can cause parts of the request body from one request to overwrite those of another, particularly in high-volume environments.

Impact

Exploitation of this vulnerability can cause request body data from one API request to be mixed with that of another, leading to corrupted data being processed by the application.

Remediation

The vulnerability can be addressed by upgrading to Jetty version 9.4.57, which is the latest version and includes the necessary fix.

Added: Jun 5, 2025, 11:41 PM

Updated: Jun 6, 2025, 12:15 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

7.6

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

7.6

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Eclipse Jetty Gzip Buffer Release Vulnerability Allowing Data Corruption and Leakage Between Requests

Vulnerability

Impact

Remediation

Affected Products

Eclipse Jetty

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating