Jetty, URI parser bypass, CVE-2025-11143 (Low)

Listen to this Post

The vulnerability, CVE-2025-11143, resides in the URI parsing mechanism of Eclipse Jetty’s `HttpURI` class. The core issue is a discrepancy in how Jetty parses malformed or invalid URIs compared to how common web browsers (like Chrome, Firefox, Safari) parse the same string. Specifically, the `HttpURI` class performs insufficient validation on the authority segment (the part containing user info, host, and port). When presented with an illegally crafted URI that includes ambiguous characters (such as “, @, or backslashes) within the authority, Jetty and a target browser will interpret the hostname differently. For instance, Jetty might extract one host (vulndetector.com) while a browser extracts another (browser.check) from the same invalid URI string like http://[email protected]/`. This differential parsing creates a dangerous inconsistency. If an application uses Jetty's `HttpURI` as a validator (e.g., to check a URL against a blocklist) but then relies on a browser to make the actual request, an attacker can bypass the security filter. The validator (Jetty) sees a safe host (browser.check), but the browser, misinterpreting the URI, makes a request to a malicious host (vulndetector.com`). This can lead to Server-Side Request Forgery (SSRF) or Open Redirect attacks, effectively bypassing security controls that are based on URI parsing .

dailycve form:

Platform: Eclipse Jetty
Version: 7.0.0-12.0.11
Vulnerability : Input Validation
Severity: Low (CVSS 3.7)
date: 03/05/2026

Prediction: Patch by 03/20/2026

What Undercode Say:

Analytics:

Check Jetty version from deployed WAR
grep -i "Implementation-Version" /path/to/jetty/lib/jetty-http-.jar | head -1
Maven: Check project dependency for jetty-http
mvn dependency:tree | grep -E "org.eclipse.jetty:jetty-http" | grep -oE '[0-9]+.[0-9]+.[0-9]+'
Find all Jetty instances on a Linux server
find / -name "jetty-http-.jar" 2>/dev/null | xargs -I {} sh -c 'echo -n "{}: "; unzip -p {} META-INF/MANIFEST.MF | grep "Implementation-Version"'

Exploit:

// PoC payloads demonstrating differential parsing
String[] payloads = {
"http://browser.check &@vulndetector.com/",
"http://[email protected]/",
"http://[email protected]/",
"http://browser.check%5c/" // Encoded backslash
};
// Simulate Jetty parsing (vulnerable versions)
HttpURI jettyUri = new HttpURI(payload);
String jettyHost = jettyUri.getHost();
// Jetty might return "vulndetector.com" or "browser.check\" instead of "browser.check"
<!-- HTML injection to trigger open redirect via user click -->
<a href="http://[email protected]/malicious">Click Here</a>
<!-- Jetty sees "trusted-front.com", browser redirects to "evil.com" -->

Protection from this CVE

Upgrade to Jetty version 12.0.12, 11.0.27, 10.0.27, or 9.4.59 or later . Avoid using Jetty’s `HttpURI` class as a standalone validator for security-critical decisions (like blocklists) if the final request will be made by a different URI parser (e.g., a browser or another HTTP client). Implement strict application-level validation of URIs according to RFC9110, rejecting malformed inputs entirely rather than attempting to parse them permissively .

Impact

Attackers can bypass security filters (like SSRF protection or URL blocklists) by exploiting the parsing disagreement . This can lead to Server-Side Request Forgery (SSRF), allowing an attacker to make requests to internal systems from the server, or Open Redirect attacks, which can be used in phishing campaigns to redirect users to malicious sites . The vulnerability can also lead to information disclosure by revealing implementation details through differential parsing behavior .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top