Primary

Context

Eclipse Jetty HTTP/2 Denial-of-Service Vulnerability via Excessive Header List Size

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Eclipse Jetty versions 12.0.0 through 12.0.16. The issue arises when an HTTP/2 client specifies a large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter. The Jetty HTTP/2 server fails to validate this setting and attempts to allocate a ByteBuffer of the requested size for encoding HTTP responses. This can lead to an OutOfMemoryError, causing the JVM process to crash.

Impact

Excessive memory allocation can lead to an OutOfMemoryError, causing the JVM to crash or continuously report memory exhaustion.

Remediation

Users can upgrade to Eclipse Jetty version 12.0.17 to address this vulnerability.

Added: Jun 5, 2025, 11:22 PM

Updated: Jun 5, 2025, 11:57 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

9.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

9.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Eclipse Jetty HTTP/2 Denial-of-Service Vulnerability via Excessive Header List Size

Vulnerability

Impact

Remediation

Affected Products

Eclipse Jetty

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating