CVE-2025-5115
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-20

Last updated on: 2025-11-04

Assigner: Eclipse Foundation

Description
In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame. The client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time. The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame. Links: * https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-20
Last Modified
2025-11-04
Generated
2026-05-07
AI Q&A
2025-08-20
EPSS Evaluated
2026-05-05
NVD
CVE-2025-5115
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
eclipse jetty 11.0.26
eclipse jetty 10.0.25
eclipse jetty 12.1.0.alpha2
eclipse jetty 12.0.21
eclipse jetty 9.4.57
eclipse jetty 9.4.58
eclipse jetty 11.0.25
eclipse jetty 10.0.26
eclipse jetty 12.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Eclipse Jetty (versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2) allows an HTTP/2 client to cause the server to send RST_STREAM frames by sending malformed frames or frames that are not allowed in a particular stream state. For example, a client can send WINDOW_UPDATE frames with a window size increment of 0, which is illegal and causes the server to respond with RST_STREAM frames. By repeatedly opening streams and sending such bad frames, the client can force the server to consume excessive CPU and memory resources, potentially leading to resource exhaustion.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to cause a denial of service on the server running Eclipse Jetty. By sending malformed HTTP/2 frames repeatedly, the attacker can force the server to consume excessive CPU and memory resources, potentially degrading performance or causing the server to become unresponsive.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart