- CVE ID
- CVE-2025-1948
- CVE Description
- In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE.
The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
- Published
- May 8, 2025
- CVSS Score & Severity
8.7High
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
- EPSS Score
- 0.576%
- KEV Status
Not in KEV Catalog: No known exploits
- Vulnerable Methods
org/eclipse/jetty/http2/HTTP2Session.configure(Ljava/util/Map;Z)VJVM
org/eclipse/jetty/http2/HTTP2Session.onSettings(Lorg/eclipse/jetty/http2/frames/SettingsFrame;Z)VJVM
org/eclipse/jetty/http2/internal/HTTP2Session.onSettings(Lorg/eclipse/jetty/http2/frames/SettingsFrame;Z)VJVM
- Source
- National Vulnerability Database