Vulnerability Lookup

🛡️ CVE-2025-5115

🟠 CVSS 8.0 — High ✅ No Known Exploit CWE-400 NVD

8.0

CVSS Score

0 Low4 Medium7 High9 Critical10

Description

In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame. The client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time. The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame. Links: * https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h

Details

Severity HIGH

CVSS Score 8.0

CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE CWE-400

Public Exploit ✅ No

Source NVD

Published 2025-08-20

Updated 2026-06-15

Modified 2026-01-27

Fix URL N/A

Affected Packages

Software	From version	Fixed in
jetty	—	—
org.eclipse.jetty.http2:http2-common	11.0.0	11.0.26
org.eclipse.jetty.http2:jetty-http2-common	12.1.0.alpha0	12.1.0.beta3

References

Issue Tracking https://github.com/jetty/jetty.project/pull/13449

Release Notes https://github.com/jetty/jetty.project/releases/tag/jetty-10.0.26

Release Notes https://github.com/jetty/jetty.project/releases/tag/jetty-11.0.26

Release Notes https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.25

Release Notes https://github.com/jetty/jetty.project/releases/tag/jetty-12.1.0

Release Notes https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.58.v20250814

Third Party Advisory https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h

Third Party Advisory http://www.openwall.com/lists/oss-security/2025/08/20/4

Third Party Advisory http://www.openwall.com/lists/oss-security/2025/09/17/1

Issue Tracking, Mailing List https://lists.debian.org/debian-lts-announce/2025/09/msg00014.html

Third Party Advisory https://www.kb.cert.org/vuls/id/767506

🔗 NVD 🔗 Mitre

Similar Threats

Exploit Protection

Help block exploit attempts

BotEraser is designed to detect and help reduce malicious bot traffic that may target known vulnerabilities on your site.

Try BotEraser Free →

No credit card required · Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.

Help block exploit attempts

Company

Resources

Services

Trusted

Subscribe