CVE-2026-1605 PUBLISHED

Assigner: eclipse
Reserved: 29.01.2026 Published: 05.03.2026 Updated: 05.03.2026

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.

This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Eclipse Foundation
Product	Eclipse Jetty
Versions	Default: unaffected affected from 12.0.0 to 12.0.31 (incl.) affected from 12.1.0. to 12.1.5 (incl.)

Credits

Gleb Sizov (@glebashnik) finder
Bjørn Christian Seime (@bjorncs) finder

References

https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f

Problem Types

CWE-400 Uncontrolled Resource Consumption CWE
CWE-401 Missing Release of Memory after Effective Lifetime CWE