CVE-2026-8384

Summary

In Eclipse Jetty, an HTTP URI of this form:

/public;/../admin/secret.txt

results in an unresolved path of:

/public/../admin/secret.txt

instead of the expected:

/admin/secret.txt

Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).

However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.

Affected Software

VendorProductVersion RangeStatus
Eclipse FoundationEclipse Jetty12.0.0 <= 12.0.34affected
Eclipse FoundationEclipse Jetty12.1.0 <= 12.1.8affected

Weaknesses

  • CWE-647: CWE-647

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References