CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1948 – Eclipse Jetty HTTP clients can increase memory allocation
https://notcve.org/view.php?id=CVE-2025-1948
08 May 2025 — In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting. A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 clien... • https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13009 – Eclipse Jetty GZIP buffer release
https://notcve.org/view.php?id=CVE-2024-13009
08 May 2025 — In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests. In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests. • https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5 • CWE-404: Improper Resource Shutdown or Release •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8184 – Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks
https://notcve.org/view.php?id=CVE-2024-8184
14 Oct 2024 — There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory. A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors... • https://github.com/jetty/jetty.project/pull/11723 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-6762 – Jetty PushSessionCacheFilter can cause remote DoS attacks
https://notcve.org/view.php?id=CVE-2024-6762
14 Oct 2024 — Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory. Jetty 9 is a Java based web server and servlet engine. Several security vulnerabilities have been discovered which may allow remote attackers to cause a denial of service by repeatedly sending crafted requests which can trigger OutofMemory errors and exhaust the server's memory. • https://github.com/jetty/jetty.project/pull/10755 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6763 – Jetty URI parsing of invalid authority
https://notcve.org/view.php?id=CVE-2024-6763
14 Oct 2024 — Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combin... • https://github.com/jetty/jetty.project/pull/12012 • CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-9823 – Jetty DOS vulnerability on DosFilter
https://notcve.org/view.php?id=CVE-2024-9823
14 Oct 2024 — There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally. A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, l... • https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h • CWE-400: Uncontrolled Resource Consumption •