How the CVE Works:
This vulnerability in Eclipse Jetty (9.4.0 to 9.4.56) occurs due to improper handling of Gzip-compressed request bodies. When a malformed gzip payload is processed, Jetty fails to release buffers correctly, leading to request smuggling. Attackers can exploit this by sending a crafted request that causes residual data from one request to be interpreted as part of another, potentially allowing unauthorized data access or request manipulation.
DailyCVE Form:
Platform: Eclipse Jetty
Version: 9.4.0-9.4.56
Vulnerability: Request Smuggling
Severity: Critical
Date: May 8, 2025
What Undercode Say:
Exploitation:
- Craft a malformed gzip request with overlapping chunks.
2. Send multiple requests to trigger buffer corruption.
3. Observe residual data leakage in subsequent requests.
Protection:
1. Upgrade to Jetty 9.4.57.v20241219 or later.
2. Disable gzip decompression if unused.
- Implement WAF rules to filter malformed gzip payloads.
Analytics:
- CVSS Score: 9.8 (Critical)
- Attack Vector: Network-based
- Exploit Complexity: Low
Commands & Code:
1. Check Jetty Version:
java -jar jetty-home/start.jar --version
2. Craft Malformed Gzip Request (PoC):
import requests
import zlib
malformed_gzip = zlib.compress(b"smuggled_data")[:-2] Truncated gzip
requests.post("http://target:8080", headers={"Content-Encoding": "gzip"}, data=malformed_gzip)
3. Mitigation via Jetty Config:
<Configure id="Server" class="org.eclipse.jetty.server.Server"> <Call name="addBean"> <New class="org.eclipse.jetty.server.GzipHandler"> <Set name="enabled">false</Set> </New> </Call> </Configure>
4. Log Monitoring for Exploits:
grep -i "GzipException" /var/log/jetty/.log
5. Curl Test for Vulnerability:
curl -X POST -H "Content-Encoding: gzip" --data-binary @malformed.gz http://target:8080
References:
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-XXXX
- Jetty Patch: https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.57.v20241219
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
