CVE-2025-1948

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 12.0.0 through 12.0.16

Description The issue arises when an HTTP/2 client specifies a very large value for the HTTP/2 settings parameter SETTINGS MAX HEADER LIST SIZE. The Jetty HTTP/2 server fails to validate this setting and attempts to allocate a ByteBuffer of the specified capacity to encode HTTP responses. This can likely result in an OutOfMemoryError being thrown or even cause the JVM process to exit.

Recommendations For Eclipse Jetty versions 12.0.0 through 12.0.16, consider validating the SETTINGS MAX HEADER LIST SIZE parameter to prevent excessively large values from being set, which can help mitigate the risk of OutOfMemoryError or JVM process exit. At the moment, there is no information about a newer version that contains a fix for this vulnerability.