CVE-2025-11143
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Eclipse Jetty is a widely used, embeddable Java web server and servlet container. It supports HTTP/1.1, HTTP/2, HTTP/3, and WebSocket, and is commonly deployed both as a standalone server and embedded within Java application runtimes and frameworks.
An improper input validation vulnerability (CVE-2025-11143) has been identified in the jetty-http package. Jetty's URI parser handles certain malformed or non-standard URIs differently than other common parsers. In systems where a security component such as a reverse proxy, WAF, or framework filter sits in front of Jetty, this difference in parsing behavior can allow a specially crafted URI to bypass access controls. At minimum, the inconsistency may expose implementation details about how Jetty processes requests.
This issue affects multiple versions of Eclipse Jetty jetty-http.
Details
Module Info
- Product: Eclipse Jetty
- Affected packages: org.eclipse.jetty:jetty-http
- Affected versions: >=9.4.0 <=9.4.58, >=10.0.0 <=10.0.26, >=11.0.0 <=11.0.26, >=12.0.0 <=12.0.30, >=12.1.0 <=12.1.4
- GitHub repository: https://github.com/jetty/jetty.project
- Published packages: https://central.sonatype.com/artifact/org.eclipse.jetty/jetty-http
- Package manager: Maven
- Fixed In: NES for Jetty v9.4.59, v10.0.27, v11.0.27
Vulnerability Info
This low-severity vulnerability is found in the jetty-http package across all affected versions of Eclipse Jetty.
Jetty's URI parser diverges from other widely used parsers including those in Node.js, Python, curl, Spring, Chromium, and C# when processing malformed or unusual URI inputs. There are four categories of divergence.
Malformed scheme. When a URI contains an invalid scheme such as https>://example.com/path, Jetty parses http> as the scheme rather than rejecting the input or normalizing it. Other parsers either reject the URI or correctly extract https as the scheme.
IPv4-mapped IPv6 addresses. Jetty rejects certain valid IPv4-mapped IPv6 addresses such as http://[::ffff:255.255.0.0] that other parsers accept and normalize. This can produce unexpected mismatches in host-based access control logic.
IPv6 delimiter priority. Jetty mishandles bracket and @ delimiter precedence in certain malformed IPv6-style URIs. For example, http://[normal.com@]vulndetector.com/ is parsed by Jetty with [normal.com@] as the host. Most other parsers reject this URI as invalid.
General delimiter priority. URIs that mix # or ? with @ in the authority component can cause Jetty to resolve a different host than the upstream component. For example, http://normal.com/#@vulndetector.com is parsed by Jetty as targeting vulndetector.com, while most parsers correctly identify normal.com as the host.
In each case, a crafted URI can satisfy a security check in one component while being routed or interpreted differently by Jetty.
Mitigation
Only recent versions of Eclipse Jetty are community-supported. Only community-supported versions will receive updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to a supported version of Eclipse Jetty (12.0.31 or 12.1.5)
- Leverage a commercial support partner like HeroDevs for post-EOL security support
