CVE-2025-5115: High Vulnerability in Eclipse Jetty

CVE-2025-5115 is a high-severity vulnerability identified in Eclipse Jetty, affecting versions 9.4.57 and earlier, as well as 10.0.25, 11.0.25, 12.0.21, and 12.1.0.alpha2. This vulnerability allows HTTP/2 clients to trigger the server to send RST_STREAM frames by sending malformed frames or frames that should not be sent in specific stream states. As a result, the server may be forced to consume excessive resources, including CPU and memory.

For instance, a client can open a stream and send WINDOW_UPDATE frames with a window size increment of 0, which is illegal. According to RFC 9113 specifications, the server is expected to respond with a RST_STREAM frame. The client can repeat this action to create numerous streams quickly, leading to potential resource exhaustion.

Risk to organizations includes the potential for denial of service due to resource exhaustion. Attackers may leverage this vulnerability to impact server availability, making it critical for organizations to address this issue promptly.

Organizations should prioritize patching immediately to mitigate this vulnerability. The exploitability of this vulnerability is assessed as high, and there is currently no known public exploit.

Eclipse Jetty has released patches addressing this vulnerability in versions 9.4.58, 10.0.26, 11.0.26, 12.0.25, and 12.1.0. Organizations running affected versions should upgrade promptly.

For additional details regarding this vulnerability, companies can refer to the official advisories available on GitHub.

In summary, CVE-2025-5115 represents a significant security risk for organizations utilizing Eclipse Jetty. Immediate action is necessary to protect against potential resource exhaustion attacks.

For continuous security validation, organizations may consider implementing continuous penetration testing to identify and remediate similar vulnerabilities.

Vulnerability Details

The vulnerability CVE-2025-5115 allows an HTTP/2 client to send malformed frames to the server, thereby causing it to consume unnecessary resources. The affected products include various versions of Eclipse Jetty, specifically versions prior to 9.4.58, 10.0.26, 11.0.26, 12.0.25, and 12.1.0.

The vulnerability is classified as CWE-400: Uncontrolled Resource Consumption. The CVSS score for this vulnerability is 7.7, indicating a high severity level.

Technical Analysis

The root cause of CVE-2025-5115 lies in the handling of HTTP/2 frames by the server. When a client sends a WINDOW_UPDATE frame with an illegal window size, the server is required to respond with a RST_STREAM frame as per the HTTP/2 specification.

The attack vector for this vulnerability is network-based, requiring no user interaction or authentication. Attack complexity is low, allowing attackers to exploit this vulnerability with minimal effort.

The impact of this vulnerability primarily affects server availability, as the server may experience resource exhaustion due to excessive RST_STREAM frames triggered by clients. There is no confidentiality or integrity impact associated with this issue.

Risk & Impact Analysis

The potential risk to organizations includes denial of service due to resource exhaustion. Exploiting this vulnerability could allow an attacker to disrupt services by overwhelming the server with RST_STREAM frames, impacting the availability of applications relying on Eclipse Jetty.

Given the high CVSS score of 7.7, organizations should assess their deployment of Eclipse Jetty and implement necessary patches. The urgency for remediation is high, and organizations should prioritize addressing this vulnerability within their patch management processes.

Exploitation Status

Affected Versions

The following versions of Eclipse Jetty are affected by CVE-2025-5115: all versions prior to vendor patch, including 9.4.57, 10.0.25, 11.0.25, 12.0.21, and 12.1.0.alpha2.

Mitigation & Remediation

Organizations must upgrade to patched versions of Eclipse Jetty to mitigate this vulnerability. The recommended versions to upgrade to include 9.4.58, 10.0.26, 11.0.26, 12.0.25, and 12.1.0.

If immediate patching is not feasible, organizations should implement network controls to limit access to the affected services and monitor for suspicious activity.

For enhanced security, organizations may consider engaging in application security assessments to identify potential weaknesses in their systems.

Detection Guidance

Organizations should monitor logs for indicators of exploitation attempts, including unusual patterns of RST_STREAM frames. Behavioral anomalies should also be tracked to identify potential abuse of the HTTP/2 protocol.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2025-5115 highlights the importance of robust input validation and resource management in server protocols. It represents a pattern where poorly handled client requests can lead to severe server resource depletion.

Security teams should take proactive measures by incorporating regular security assessments into their development lifecycle to mitigate similar vulnerabilities in the future.

For further guidance on strengthening security practices, organizations can refer to our penetration testing methodology and ensure their systems are resilient against evolving threats.

Finally, organizations should stay informed about security trends and vulnerability exposure by regularly reviewing our vulnerability management program updates.