Eclipse Jersey, Race Condition, CVE-2025-XXXX (Critical)

By /

Listen to this Post

The CVE-2025-XXXX vulnerability in Eclipse Jersey stems from a race condition within the SSL context initialization process. The `SslConfigurator` class, responsible for creating `SSLContext` objects, utilizes a caching mechanism to store and reuse contexts. However, this cache is not properly synchronized. When multiple threads concurrently request an `SSLContext` for the same configuration before it is fully initialized, one thread may bypass the critical configuration steps. This occurs because the first thread places an incomplete or default `SSLContext` object into the cache before applying security settings like mutual authentication or custom trust stores. Subsequent threads then retrieve this insecure, partially-configured context. Under normal high-load conditions, this results in `SSLHandshakeException` failures. However, if exploited, it can cause the application to inadvertently trust a malicious server, as the required certificate pinning or client authentication checks are absent from the incorrectly cached context.
Platform: Eclipse Jersey
Version: <2.46, 3.0.0-3.0.16, 3.1.0-3.1.9
Vulnerability : Race Condition
Severity: Critical
date: 2025-11-18

Prediction: 2025-11-25

What Undercode Say:

`curl -kv https://vulnerable-app.com/secure-endpoint`

`openssl s_client -connect target:443 -state -debug</h2>
<h2 style="color: blue;">SslConfigurator sslConfig = new SslConfigurator().keyStore(…).trustStore(…);</h2>
<h2 style="color: blue;">SSLContext ctx = sslConfig.createSSLContext(); // Race condition here`

How Exploit:

Attacker operates malicious TLS server. Legitimate client application uses vulnerable Jersey version. High concurrent load triggers race condition. Client retrieves insecure default SSLContext. Client connects to malicious server without authentication. Server is incorrectly trusted.

Protection from this CVE:

Upgrade to Jersey 2.46. Upgrade to Jersey 3.0.17. Upgrade to Jersey 3.1.10. Implement external SSLContext management. Disable SSL context caching.

Impact:

SSL/TLS misconfiguration. Bypassed mutual authentication. Unauthorized server trust. Potential data exposure. SSLHandshakeException service disruptions.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top