Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/org.eclipse.jetty/jetty-http@12.0.31 |
|---|
| Type | maven |
|---|
| Namespace | org.eclipse.jetty |
|---|
| Name | jetty-http |
|---|
| Version | 12.0.31 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | false |
|---|
| Next_non_vulnerable_version | 12.0.33 |
|---|
| Latest_non_vulnerable_version | 12.1.7 |
|---|
| Affected_by_vulnerabilities |
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-e1r9-bbdh-qqf6 |
| vulnerability_id |
VCID-e1r9-bbdh-qqf6 |
| summary |
org.eclipse.jetty:jetty-http has different parsing of invalid URIs
The Jetty URI parser has some key differences compared to other common parsers when evaluating invalid or unusual URIs. Specifically:
#### Invalid Scheme
| URI | Jetty | uri-js (nodejs) | node-url(nodejs) |
|---|---|---| --- |
| `https>://vulndetector.com/path` | scheme=`http>`| scheme=`https` | invalid URI |
#### Improper IPv4 mapped IPv6
| URI | Jetty | System.Uri(CSharp) | curl(C) |
|---|---|---| --- |
| `http://[0:0:0:0:0:ffff:127.0.0.1]` | invalid | host=`[::ffff:127.0.0.1]` | host=`[::ffff:127.0.0.1]` |
| `http://[::ffff:255.255.0.0]` | invalid | host=`[::ffff:255.255.0.0]` | host=`[::ffff:255.255.0.0]` |
#### Incorrect IPv6 delimeter priority
| URI | Jetty | urllib3(python) | furl(python) | Spring | chromium |
|---|---|---| --- |---|---|
| `http://[normal.com@]vulndetector.com/` | host=`[normal.com@]` | invalid | invalid | | |
| `http://normal.com[user@vulndetector].com/` | host=`[noirmal.com@vulndetector | | | host=`normal.com` | invalid |
| `http://normal.com[@]vulndetector.com/` | host=`normal.com[@] | | | host=`normal.com` | invalid |
#### Incorrect delimeter priority
| URI | Jetty | urllib3(python) | jersey |
|---|---|---| --- |
| `http://normal.com/#@vulndetector.com` | host=`vulndetector.com` | host=`normal.com` | host=`normal.com` |
| `http://normal.com/?@vulndetector.com` | host=`vulndetector.com` | host=`normal.com` | host=`normal.com` |
### Impact
Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response.
At the very least, differential parsing may divulge implementation details.
### Patches
Patched in Supported Open Source versions.
* 12.1.5 - Supported and available on Maven Central
* 12.0.31 - Supported and available on Maven Central
* 11.0.x - EOL Release, patches available on [tuxcare](https://tuxcare.com/) and [herodevs](https://www.herodevs.com/)
* 10.0.x - EOL Release, patches available on [tuxcare](https://tuxcare.com/) and [herodevs](https://www.herodevs.com/)
* 9.4.x - EOL Release, patches available on [tuxcare](https://tuxcare.com/) and [herodevs](https://www.herodevs.com/)
### Workarounds
None
### Resources
+ [Java Eclipse Jetty Report_ Incorrect Parsing Priority of the IPv6 Hostname Delimeter.pdf](https://github.com/user-attachments/files/22222625/Java.Eclipse.Jetty.Report_.Incorrect.Parsing.Priority.of.the.IPv6.Hostname.Delimeter.pdf)
+ [Java Eclipse Jetty Report_ The Parsing Priority of the Delimiter.pdf](https://github.com/user-attachments/files/22222626/Java.Eclipse.Jetty.Report_.The.Parsing.Priority.of.the.Delimiter.pdf)
+ [Java Eclipse Jetty Report_ Parsing Difference Due to Deformed Scheme.pdf](https://github.com/user-attachments/files/22222627/Java.Eclipse.Jetty.Report_.Parsing.Difference.Due.to.Deformed.Scheme.pdf)
+ [Java Eclipse Jetty Report_ Improper IPv4-mapped IPv6 Parsing.pdf](https://github.com/user-attachments/files/22222630/Java.Eclipse.Jetty.Report_.Improper.IPv4-mapped.IPv6.Parsing.pdf) |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-11143 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00093 |
| scoring_system |
epss |
| scoring_elements |
0.26246 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00093 |
| scoring_system |
epss |
| scoring_elements |
0.26205 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00102 |
| scoring_system |
epss |
| scoring_elements |
0.27925 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00102 |
| scoring_system |
epss |
| scoring_elements |
0.27921 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00102 |
| scoring_system |
epss |
| scoring_elements |
0.27989 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00102 |
| scoring_system |
epss |
| scoring_elements |
0.2803 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00102 |
| scoring_system |
epss |
| scoring_elements |
0.28033 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00102 |
| scoring_system |
epss |
| scoring_elements |
0.27991 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00102 |
| scoring_system |
epss |
| scoring_elements |
0.27932 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00102 |
| scoring_system |
epss |
| scoring_elements |
0.27943 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-11143 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-11143, GHSA-wjpw-4j6x-6rwh
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e1r9-bbdh-qqf6 |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-http@12.0.31 |
|---|