CVE-2025-11143
Received Received - Intake
URI Parsing Inconsistency in Jetty Causes Security Bypass

Publication date: 2026-03-05

Last updated on: 2026-03-06

Assigner: Eclipse Foundation

Description
The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11143
EUVD
EUVD-2025-208311
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
eclipse jetty From 10.0.0 (inc) to 10.0.26 (inc)
eclipse jetty From 11.0.0 (inc) to 11.0.26 (inc)
eclipse jetty From 12.0.0 (inc) to 12.0.31 (exc)
eclipse jetty From 12.1.0 (inc) to 12.1.5 (exc)
eclipse jetty From 9.4.0 (inc) to 9.4.58 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-11143 is a vulnerability in the URI parser of the Jetty HTTP server that causes it to handle invalid or unusual URIs differently compared to other common URI parsers.'}, {'type': 'paragraph', 'content': "This differential parsing means that when multiple components process the same URI, they may interpret it inconsistently. For example, one component might reject a URI due to a blacklist, while Jetty's parser might accept it, allowing potentially malicious URIs to bypass security controls."}, {'type': 'list_item', 'content': 'Jetty accepts malformed URI schemes (like "https>") that other parsers reject.'}, {'type': 'list_item', 'content': 'Jetty treats certain IPv4-mapped IPv6 addresses as invalid hosts, unlike other parsers.'}, {'type': 'list_item', 'content': "Jetty parses URIs with embedded delimiters (such as '@' symbols) differently, causing inconsistent host interpretations."}, {'type': 'list_item', 'content': 'Jetty interprets delimiters in URI fragments or query strings differently, affecting URI interpretation.'}, {'type': 'paragraph', 'content': 'At minimum, this discrepancy can leak implementation details and at worst can lead to security bypasses.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'The vulnerability can lead to security bypasses in systems that use multiple components for URI processing.'}, {'type': 'paragraph', 'content': "For example, a security component enforcing a blacklist might reject a malicious URI based on one parsing logic, but Jetty's parser might accept it, allowing the malicious URI to bypass security controls."}, {'type': 'paragraph', 'content': 'This can result in integrity loss, meaning unauthorized or malicious data could be processed or accepted.'}, {'type': 'paragraph', 'content': 'Additionally, the differential parsing may divulge implementation details, which could aid attackers in crafting exploits.'}, {'type': 'paragraph', 'content': 'The vulnerability has a low severity score (CVSS 3.7) and does not impact confidentiality or availability.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability arises from Jetty's URI parser handling invalid or unusual URIs differently than other parsers, leading to inconsistent parsing results that may cause security bypasses."}, {'type': 'paragraph', 'content': 'Detection would involve testing how your Jetty server parses various malformed or unusual URIs, especially those with invalid schemes, IPv4-mapped IPv6 addresses, or unusual delimiter placements.'}, {'type': 'paragraph', 'content': 'You can attempt to send crafted HTTP requests with URIs such as:'}, {'type': 'list_item', 'content': 'URIs with invalid schemes like "https>://example.com"'}, {'type': 'list_item', 'content': 'URIs with IPv4-mapped IPv6 addresses like "http://[0:0:0:0:0:ffff:127.0.0.1]/" or "http://[::ffff:255.255.0.0]/"'}, {'type': 'list_item', 'content': 'URIs with embedded delimiters such as \'@\' symbols in hostnames, e.g., "http://[normal.com@]vulndetector.com/" or "http://normal.com[user@vulndetector].com/"'}, {'type': 'paragraph', 'content': 'By observing how your Jetty server responds to these requests compared to other components or parsers, you can detect differential parsing behavior indicative of this vulnerability.'}, {'type': 'paragraph', 'content': 'Specific commands could include using curl or similar tools to send these crafted requests, for example:'}, {'type': 'list_item', 'content': 'curl -v "http://https>://example.com/"'}, {'type': 'list_item', 'content': 'curl -v "http://[0:0:0:0:0:ffff:127.0.0.1]/"'}, {'type': 'list_item', 'content': 'curl -v "http://[normal.com@]vulndetector.com/"'}, {'type': 'paragraph', 'content': 'Comparing the responses or logs from Jetty with other URI parsers can help identify if the vulnerability is present.'}] [1]

Mitigation Strategies

The primary mitigation for this vulnerability is to upgrade Jetty to a patched version.

  • Upgrade to Jetty version 12.0.31 or 12.1.5 or later where the vulnerability is fixed.
  • For older end-of-life releases (11.0.x, 10.0.x, 9.4.x), obtain patches from trusted third-party providers such as tuxcare or herodevs.

No workarounds are noted, so applying the official patches or upgrades is the recommended immediate action.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11143. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart