CVE-2025-11143 PUBLISHED

Assigner: eclipse
Reserved: 29.09.2025 Published: 05.03.2026 Updated: 05.03.2026

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 3.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Eclipse Foundation
Product	Eclipse Jetty
Versions	Default: unaffected affected from 9.4.0 to 9.4.58 (incl.) affected from 10.0.0 to 10.0.26 (incl.) affected from 11.0.0 to 11.0.26 (incl.) affected from 12.0.0 to 12.0.30 (incl.) affected from 12.1.0 to 12.1.4 (incl.)

Credits

zer0yu finder

References

https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh

Problem Types

CWE-20 Improper Input Validation CWE