CVE-2025-5115

HIGH EPSS 72.2%
Published Aug 20, 202510mo ago · Modified Jun 17, 20262w ago
7.7 CVSS 4.0
High
Find Similar
Published Aug 20, 2025 10mo ago
Last Modified Jun 17, 2026 2w ago

Description

In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame. The client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time. The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame. Links: * https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h

CVSS Details

Base Score
7.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
72.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 7

VendorProductVersionRange
eclipsejetty*≥9.3.0  –  ≤9.4.57
eclipsejetty*≥10.0.0  –  ≤10.0.25
eclipsejetty*≥11.0.0  –  ≤11.0.25
eclipsejetty*≥12.0.0  –  ≤12.0.21
eclipsejetty12.1.0any
eclipsejetty12.1.0any
eclipsejetty12.1.0any

References 11

  • openwall.com http://www.openwall.com/lists/oss-security/2025/08/20/4
    Third Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2025/09/17/1
    Third Party Advisory
  • github.com https://github.com/jetty/jetty.project/pull/13449
    Issue Tracking
  • github.com https://github.com/jetty/jetty.project/releases/tag/jetty-10.0.26
    Release Notes
  • github.com https://github.com/jetty/jetty.project/releases/tag/jetty-11.0.26
    Release Notes
  • github.com https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.25
    Release Notes
  • github.com https://github.com/jetty/jetty.project/releases/tag/jetty-12.1.0
    Release Notes
  • github.com https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.58.v20250814
    Release Notes
  • github.com https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
    Third Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/09/msg00014.html
    Issue TrackingMailing List
  • kb.cert.org https://www.kb.cert.org/vuls/id/767506
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.