Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/jetty12@12.0.17-1?distro=trixie
purl pkg:deb/debian/jetty12@12.0.17-1?distro=trixie
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-sshg-yscz-afga Eclipse Jetty HTTP/2 client can force the server to allocate a humongous byte buffer that may lead to OoM and subsequently the JVM to exit ### Original Report In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting. ### Impact Remote peers can cause the JVM to crash or continuously report OOM. ### Patches 12.0.17 ### Workarounds No workarounds. ### References https://github.com/jetty/jetty.project/issues/12690 CVE-2025-1948
GHSA-889j-63jv-qhr8

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T11:54:50.737555+00:00 Debian Importer Fixing VCID-sshg-yscz-afga https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-13T08:07:56.238766+00:00 Debian Importer Fixing VCID-sshg-yscz-afga https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-03T07:27:49.471807+00:00 Debian Importer Fixing VCID-sshg-yscz-afga https://security-tracker.debian.org/tracker/data/json 38.1.0