Skip to main content
Components
Vulnerabilities
Pricing
MCP
API
Docs
Sign up
Login
Find vulnerabilities. Fix fast with AI.
Search components by package, version, or CVE to get started.
org.eclipse.jetty/jetty-http 12.0.22 | Vul… | Sonatype Guide
Get full component data and automated fixes with Sonatype Guide.
Sign up for free
maven
org.eclipse.jetty
jetty-http
12.0.22
jetty-http 12.0.22
org.eclipse.jetty
Published
Jun 2, 2025
•
Policy
compliance
maven Registry
Developer Trust Score
Recommended Version:
x.y.z
Recommended upgrade that meets your policy.
Compare Versions
Overview
Overview
Versions
433
Versions
433
Vulnerabilities
2
Vulnerabilities
2
Dependencies
3
Dependencies
3
Severity
Critical
(1)
High
(0)
Medium
(1)
Low
(0)
CVSS Score
0.0
10.0
EPSS Score
0.0
1.0
Malware
KEV Status
Published
Filter
Sort: Published (Newest first)
9.1
CVE-2026-2332
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
affected
Severity
Critical
Published
Apr 15, 2026
6.5
CVE-2025-11143
The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.
affected
Severity
Medium
Published
Mar 6, 2026
