Bug#1111765: jetty12: CVE-2025-5115

Salvatore Bonaccorso carnil at debian.org
Thu Aug 21 19:46:36 BST 2025 

Source: jetty12
Version: 12.0.17-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/jetty/jetty.project/pull/13449
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:jetty9 9.4.57-1
Control: retitle -2 jetty9: CVE-2025-5115

Hi,

The following vulnerability was published for jetty.

CVE-2025-5115[0]:
| In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25,
| <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server
| to send RST_STREAM frames, for example by sending frames that are
| malformed or that should not be sent in a particular stream state,
| therefore forcing the server to consume resources such as CPU and
| memory.   For example, a client can open a stream and then send
| WINDOW_UPDATE frames with window size increment of 0, which is
| illegal. Per specification  https://www.rfc-
| editor.org/rfc/rfc9113.html#name-window_update , the server should
| send a RST_STREAM frame. The client can now open another stream and
| send another bad WINDOW_UPDATE, therefore causing the server to
| consume more resources than necessary, as this case does not exceed
| the max number of concurrent streams, yet the client is able to
| create an enormous amount of streams in a short period of time.
| The attack can be performed with other conditions (for example, a
| DATA frame for a closed stream) that cause the server to send a
| RST_STREAM frame.    Links:      *
| https://github.com/jetty/jetty.project/security/advisories/GHSA-
| mmxm-8w33-wc4h


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-5115
    https://www.cve.org/CVERecord?id=CVE-2025-5115
[1] https://github.com/jetty/jetty.project/pull/13449
[2] https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the pkg-java-maintainers mailing list