CVE-2025-11143
URI Parsing Inconsistency in Jetty Causes Security Bypass
Publication date: 2026-03-05
Last updated on: 2026-03-06
Assigner: Eclipse Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eclipse | jetty | From 10.0.0 (inc) to 10.0.26 (inc) |
| eclipse | jetty | From 11.0.0 (inc) to 11.0.26 (inc) |
| eclipse | jetty | From 12.0.0 (inc) to 12.0.31 (exc) |
| eclipse | jetty | From 12.1.0 (inc) to 12.1.5 (exc) |
| eclipse | jetty | From 9.4.0 (inc) to 9.4.58 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-11143 is a vulnerability in the URI parser of the Jetty HTTP server that causes it to handle invalid or unusual URIs differently compared to other common URI parsers.'}, {'type': 'paragraph', 'content': "This differential parsing means that when multiple components process the same URI, they may interpret it inconsistently. For example, one component might reject a URI due to a blacklist, while Jetty's parser might accept it, allowing potentially malicious URIs to bypass security controls."}, {'type': 'list_item', 'content': 'Jetty accepts malformed URI schemes (like "https>") that other parsers reject.'}, {'type': 'list_item', 'content': 'Jetty treats certain IPv4-mapped IPv6 addresses as invalid hosts, unlike other parsers.'}, {'type': 'list_item', 'content': "Jetty parses URIs with embedded delimiters (such as '@' symbols) differently, causing inconsistent host interpretations."}, {'type': 'list_item', 'content': 'Jetty interprets delimiters in URI fragments or query strings differently, affecting URI interpretation.'}, {'type': 'paragraph', 'content': 'At minimum, this discrepancy can leak implementation details and at worst can lead to security bypasses.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'The vulnerability can lead to security bypasses in systems that use multiple components for URI processing.'}, {'type': 'paragraph', 'content': "For example, a security component enforcing a blacklist might reject a malicious URI based on one parsing logic, but Jetty's parser might accept it, allowing the malicious URI to bypass security controls."}, {'type': 'paragraph', 'content': 'This can result in integrity loss, meaning unauthorized or malicious data could be processed or accepted.'}, {'type': 'paragraph', 'content': 'Additionally, the differential parsing may divulge implementation details, which could aid attackers in crafting exploits.'}, {'type': 'paragraph', 'content': 'The vulnerability has a low severity score (CVSS 3.7) and does not impact confidentiality or availability.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability arises from Jetty's URI parser handling invalid or unusual URIs differently than other parsers, leading to inconsistent parsing results that may cause security bypasses."}, {'type': 'paragraph', 'content': 'Detection would involve testing how your Jetty server parses various malformed or unusual URIs, especially those with invalid schemes, IPv4-mapped IPv6 addresses, or unusual delimiter placements.'}, {'type': 'paragraph', 'content': 'You can attempt to send crafted HTTP requests with URIs such as:'}, {'type': 'list_item', 'content': 'URIs with invalid schemes like "https>://example.com"'}, {'type': 'list_item', 'content': 'URIs with IPv4-mapped IPv6 addresses like "http://[0:0:0:0:0:ffff:127.0.0.1]/" or "http://[::ffff:255.255.0.0]/"'}, {'type': 'list_item', 'content': 'URIs with embedded delimiters such as \'@\' symbols in hostnames, e.g., "http://[normal.com@]vulndetector.com/" or "http://normal.com[user@vulndetector].com/"'}, {'type': 'paragraph', 'content': 'By observing how your Jetty server responds to these requests compared to other components or parsers, you can detect differential parsing behavior indicative of this vulnerability.'}, {'type': 'paragraph', 'content': 'Specific commands could include using curl or similar tools to send these crafted requests, for example:'}, {'type': 'list_item', 'content': 'curl -v "http://https>://example.com/"'}, {'type': 'list_item', 'content': 'curl -v "http://[0:0:0:0:0:ffff:127.0.0.1]/"'}, {'type': 'list_item', 'content': 'curl -v "http://[normal.com@]vulndetector.com/"'}, {'type': 'paragraph', 'content': 'Comparing the responses or logs from Jetty with other URI parsers can help identify if the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation for this vulnerability is to upgrade Jetty to a patched version.
- Upgrade to Jetty version 12.0.31 or 12.1.5 or later where the vulnerability is fixed.
- For older end-of-life releases (11.0.x, 10.0.x, 9.4.x), obtain patches from trusted third-party providers such as tuxcare or herodevs.
No workarounds are noted, so applying the official patches or upgrades is the recommended immediate action.