CVE-2025-5115

Name of the Vulnerable Software and Affected Versions: Eclipse Jetty versions <=9.4.57 Eclipse Jetty versions <=10.0.25 Eclipse Jetty versions <=11.0.25 Eclipse Jetty versions <=12.0.21 Eclipse Jetty version 12.1.0.alpha2

Description: An HTTP/2 client can trigger the server to send RST STREAM frames by sending malformed or invalid frames, forcing the server to consume excessive resources like CPU and memory. Specifically, a client can send WINDOW UPDATE frames with an increment of 0, which is illegal according to the HTTP/2 specification (RFC 9113). This causes the server to send a RST STREAM frame, and repeated sending of such frames can lead to resource exhaustion and a denial-of-service condition. The vulnerability exploits a design flaw where resetting a stream doesn't correctly account for it in the active streams counter, allowing an attacker to create a large number of streams. The attack can also be performed using other conditions, such as sending a DATA frame for a closed stream. This issue is similar to the Rapid Reset vulnerability (CVE-2023-44487) but differs in that the server initiates the RST STREAM frame, rather than the client.

Recommendations: Eclipse Jetty versions prior to 9.4.58 Eclipse Jetty versions prior to 10.0.26 Eclipse Jetty versions prior to 11.0.26 Eclipse Jetty versions prior to 12.0.22 Eclipse Jetty versions prior to 12.1.0.alpha3 As a quick mitigation, limit the number or rate of RST STREAM frames sent from the server. Limit the number or rate of control frames (e.g., WINDOW UPDATE and PRIORITY) sent by the client. Treat protocol flow errors as connection errors.