CVE-2025-11143

Summary

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

Affected Software

VendorProductVersion RangeStatus
Eclipse FoundationEclipse Jetty9.4.0 <= 9.4.58affected
Eclipse FoundationEclipse Jetty10.0.0 <= 10.0.26affected
Eclipse FoundationEclipse Jetty11.0.0 <= 11.0.26affected
Eclipse FoundationEclipse Jetty12.0.0 <= 12.0.30affected
Eclipse FoundationEclipse Jetty12.1.0 <= 12.1.4affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References