How the CVE Works:
The vulnerability (CVE-2025-XXXX) in Eclipse Jetty (versions 12.0.0 to 12.0.16) stems from improper validation of the HTTP/2 `SETTINGS_MAX_HEADER_LIST_SIZE` parameter. An attacker-controlled HTTP/2 client can send an abnormally large value for this setting, forcing the Jetty server to allocate a massive `ByteBuffer` to process HTTP responses. Since the server does not enforce size limits, this leads to excessive memory consumption, triggering `OutOfMemoryError` (OoM) crashes or even abrupt JVM termination. The lack of input validation allows remote exploitation, disrupting service availability without authentication.
DailyCVE Form:
Platform: Eclipse Jetty
Version: 12.0.0 – 12.0.16
Vulnerability: HTTP/2 OoM Exploit
Severity: Critical
Date: May 8, 2025
What Undercode Say:
Exploitation:
1. Craft malicious HTTP/2 request:
SETTINGS_MAX_HEADER_LIST_SIZE = 0xFFFFFFFF
2. Send via HTTP/2 client (e.g., `nghttp2`):
nghttp2 -v --header-table-size=4294967295 http://target:8080
Mitigation:
1. Patch immediately to Jetty 12.0.17.
2. JVM Heap Limits:
java -Xmx512m -jar jetty.jar Restrict heap
3. Network Controls:
iptables -A INPUT -p tcp --dport 8080 -m connlimit --connlimit-above 100 -j DROP
Detection:
1. Monitor logs for OoM exceptions:
grep "OutOfMemoryError" /var/log/jetty.log
2. Debugging:
// Enable JVM dump on OoM: -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp/jetty_dump.hprof
References:
Analytics:
- Attack Vector: Network (HTTP/2)
- Complexity: Low (no auth required)
- CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
