VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-sshg-yscz-afga

Essentials
Severities (31)
References (19)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-sshg-yscz-afga
Aliases	CVE-2025-1948 GHSA-889j-63jv-qhr8
Summary	Eclipse Jetty HTTP/2 client can force the server to allocate a humongous byte buffer that may lead to OoM and subsequently the JVM to exit ### Original Report In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting. ### Impact Remote peers can cause the JVM to crash or continuously report OOM. ### Patches 12.0.17 ### Workarounds No workarounds. ### References https://github.com/jetty/jetty.project/issues/12690
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-400	Uncontrolled Resource Consumption
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1948.json
epss	0.0047	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-889j-63jv-qhr8
cvssv3.1	7.5	https://github.com/jetty/jetty.project
generic_textual	HIGH	https://github.com/jetty/jetty.project
cvssv3.1	7.5	https://github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bb
generic_textual	HIGH	https://github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bb
cvssv3.1	7.5	https://github.com/jetty/jetty.project/issues/12690
generic_textual	HIGH	https://github.com/jetty/jetty.project/issues/12690
cvssv3.1	7.5	https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
cvssv3.1_qr	HIGH	https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
generic_textual	HIGH	https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
ssvc	Track	https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
cvssv3.1	7.5	https://gitlab.eclipse.org/security/cve-assignement/-/issues/56
generic_textual	HIGH	https://gitlab.eclipse.org/security/cve-assignement/-/issues/56
ssvc	Track	https://gitlab.eclipse.org/security/cve-assignement/-/issues/56
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2025-1948
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-1948

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1948.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-1948
		https://github.com/jetty/jetty.project
		https://github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bb
		https://github.com/jetty/jetty.project/issues/12690
		https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
		https://gitlab.eclipse.org/security/cve-assignement/-/issues/56
		https://nvd.nist.gov/vuln/detail/CVE-2025-1948
2365137		https://bugzilla.redhat.com/show_bug.cgi?id=2365137
GHSA-889j-63jv-qhr8		https://github.com/advisories/GHSA-889j-63jv-qhr8
RHSA-2025:10092		https://access.redhat.com/errata/RHSA-2025:10092
RHSA-2025:10097		https://access.redhat.com/errata/RHSA-2025:10097
RHSA-2025:10098		https://access.redhat.com/errata/RHSA-2025:10098
RHSA-2025:10104		https://access.redhat.com/errata/RHSA-2025:10104
RHSA-2025:10118		https://access.redhat.com/errata/RHSA-2025:10118
RHSA-2025:10119		https://access.redhat.com/errata/RHSA-2025:10119
RHSA-2025:10120		https://access.redhat.com/errata/RHSA-2025:10120
RHSA-2025:13274		https://access.redhat.com/errata/RHSA-2025:13274
RHSA-2025:7696		https://access.redhat.com/errata/RHSA-2025:7696

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1948.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jetty/jetty.project

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jetty/jetty.project/issues/12690

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T18:31:29Z/ Found at https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://gitlab.eclipse.org/security/cve-assignement/-/issues/56

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T18:31:29Z/ Found at https://gitlab.eclipse.org/security/cve-assignement/-/issues/56

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-1948

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.64599
EPSS Score	0.0047
Published At	April 21, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:56:57.656281+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-889j-63jv-qhr8/GHSA-889j-63jv-qhr8.json	38.0.0