CVE-2025-5115

Medienbericht

EPSS 0.11%
Veröffentlicht 20.08.2025 19:07:11
Zuletzt bearbeitet 27.01.2026 19:23:52
Quelle emo@eclipse.org
CVE-Watchlists
Login
Unerledigt
Login

In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.


For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal.
Per specification  https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame.
The client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.


The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.



Links:



  *   https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 15

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Eclipse ≫ Jetty Version >= 9.3.0 <= 9.4.57

Eclipse ≫ Jetty Version >= 10.0.0 <= 10.0.25

Eclipse ≫ Jetty Version >= 11.0.0 <= 11.0.25

Eclipse ≫ Jetty Version >= 12.0.0 <= 12.0.21

Eclipse ≫ Jetty Version12.1.0 Updatealpha0

Eclipse ≫ Jetty Version12.1.0 Updatealpha1

Eclipse ≫ Jetty Version12.1.0 Updatealpha2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.304

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
emo@eclipse.org	7.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://www.heise.de/news/SAP-Patchday-im-Oktober-behebt-mehrere-kritische-Schwachstellen-10755029.html

Medienbericht

heise Security

14.10.2025 10:42

https://github.com/jetty/jetty.project/pull/13449

Issue Tracking

https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h

Third Party Advisory

https://github.com/jetty/jetty.project/releases/tag/jetty-12.1.0

Release Notes

https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.25

Release Notes