Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-daws-9x98-vbbm
Summary
The Eclipse Jetty Server Artifact has a Gzip request memory leak
### Description (as reported)

There is a memory leak when using `GzipHandler` in jetty-12.0.30 that can cause off-heap OOMs. This can be used for DoS attacks so I'm reporting this as a vulnerability.

The leak is created by requests where the request is inflated (`Content-Encoding: gzip`) and the response is not deflated (no `Accept-Encoding: gzip`). In these conditions, a new inflator will be created by `GzipRequest` and never released back into `GzipRequest.__inflaterPool` because `gzipRequest.destory()` is not called.

In heap dumps one can see thousands of `java.util.zip.Inflator` objects, which use both Java heaps and native memory. Leaking native memory causes of off-heap OOMs.

Code path in `GzipHandler.handle()`:
1. Line 601: `GzipRequest` is created when request inflation is needed.
2. Lines 611-616: The callback is only wrapped in `GzipResponseAndCallback` when both inflation and deflation are needed.
3. Lines 619-625: If the handler accepts the request (returns true), `gzipRequest.destroy()` is only called in the "request not accepted" path (returns false)

When deflation is needed, `GzipResponseAndCallback` (lines 102 and 116) properly calls `gzipRequest.destroy()` in its `succeeded()` and `failed()` methods. But this wrapper is only created when deflation is needed.

Possible fix:
The callback should be wrapped whenever a `GzipRequest` is created, not just when deflation is needed. This ensures `gzipRequest.destroy()` is always called when the request completes.


### Impact
The leak causes the JVM to crash with OOME.

### Patches
No patches yet.

### Workarounds
Disable `GzipHandler`.

### References
https://github.com/jetty/jetty.project/issues/14260

https://gitlab.eclipse.org/security/cve-assignment/-/issues/79
Aliases
0
alias CVE-2026-1605
1
alias GHSA-xxh7-fcf3-rj7f
Fixed_packages
0
url pkg:deb/debian/jetty12@12.0.32-1?distro=trixie
purl pkg:deb/debian/jetty12@12.0.32-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/jetty12@12.0.32-1%3Fdistro=trixie
1
url pkg:deb/debian/jetty12@12.0.33-1
purl pkg:deb/debian/jetty12@12.0.33-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/jetty12@12.0.33-1
2
url pkg:deb/debian/jetty12@12.0.33-1?distro=trixie
purl pkg:deb/debian/jetty12@12.0.33-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/jetty12@12.0.33-1%3Fdistro=trixie
3
url pkg:maven/org.eclipse.jetty/jetty-server@12.0.32
purl pkg:maven/org.eclipse.jetty/jetty-server@12.0.32
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@12.0.32
4
url pkg:maven/org.eclipse.jetty/jetty-server@12.1.6
purl pkg:maven/org.eclipse.jetty/jetty-server@12.1.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@12.1.6
Affected_packages
0
url pkg:deb/debian/jetty12@12.0.17-3.1~deb13u1?distro=trixie
purl pkg:deb/debian/jetty12@12.0.17-3.1~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4g8e-zm2m-6yhv
1
vulnerability VCID-daws-9x98-vbbm
2
vulnerability VCID-e1r9-bbdh-qqf6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/jetty12@12.0.17-3.1~deb13u1%3Fdistro=trixie
1
url pkg:deb/debian/jetty12@12.0.17-3.1~deb13u1
purl pkg:deb/debian/jetty12@12.0.17-3.1~deb13u1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4g8e-zm2m-6yhv
1
vulnerability VCID-daws-9x98-vbbm
2
vulnerability VCID-e1r9-bbdh-qqf6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/jetty12@12.0.17-3.1~deb13u1
2
url pkg:maven/org.eclipse.jetty/jetty-server@12.0.0
purl pkg:maven/org.eclipse.jetty/jetty-server@12.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9xw3-4a4u-hbbb
1
vulnerability VCID-daws-9x98-vbbm
2
vulnerability VCID-gq93-ctd4-aqbp
3
vulnerability VCID-q3k2-1x5q-buhy
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@12.0.0
3
url pkg:maven/org.eclipse.jetty/jetty-server@12.0.31
purl pkg:maven/org.eclipse.jetty/jetty-server@12.0.31
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-daws-9x98-vbbm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@12.0.31
4
url pkg:maven/org.eclipse.jetty/jetty-server@12.1.0
purl pkg:maven/org.eclipse.jetty/jetty-server@12.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-daws-9x98-vbbm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@12.1.0
5
url pkg:maven/org.eclipse.jetty/jetty-server@12.1.5
purl pkg:maven/org.eclipse.jetty/jetty-server@12.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-daws-9x98-vbbm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@12.1.5
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1605.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1605.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-1605
reference_id
reference_type
scores
0
value 0.00055
scoring_system epss
scoring_elements 0.17495
published_at 2026-04-02T12:55:00Z
1
value 0.00055
scoring_system epss
scoring_elements 0.17542
published_at 2026-04-04T12:55:00Z
2
value 0.0006
scoring_system epss
scoring_elements 0.1864
published_at 2026-05-07T12:55:00Z
3
value 0.0006
scoring_system epss
scoring_elements 0.18556
published_at 2026-05-05T12:55:00Z
4
value 0.0006
scoring_system epss
scoring_elements 0.18682
published_at 2026-04-29T12:55:00Z
5
value 0.0006
scoring_system epss
scoring_elements 0.18725
published_at 2026-04-26T12:55:00Z
6
value 0.0006
scoring_system epss
scoring_elements 0.18746
published_at 2026-04-24T12:55:00Z
7
value 0.0006
scoring_system epss
scoring_elements 0.18858
published_at 2026-04-21T12:55:00Z
8
value 0.0006
scoring_system epss
scoring_elements 0.18843
published_at 2026-04-18T12:55:00Z
9
value 0.0006
scoring_system epss
scoring_elements 0.1883
published_at 2026-04-16T12:55:00Z
10
value 0.0006
scoring_system epss
scoring_elements 0.18877
published_at 2026-04-13T12:55:00Z
11
value 0.0006
scoring_system epss
scoring_elements 0.18975
published_at 2026-04-11T12:55:00Z
12
value 0.0006
scoring_system epss
scoring_elements 0.18704
published_at 2026-05-11T12:55:00Z
13
value 0.0006
scoring_system epss
scoring_elements 0.18741
published_at 2026-05-09T12:55:00Z
14
value 0.0006
scoring_system epss
scoring_elements 0.18928
published_at 2026-04-12T12:55:00Z
15
value 0.0006
scoring_system epss
scoring_elements 0.18835
published_at 2026-04-07T12:55:00Z
16
value 0.0006
scoring_system epss
scoring_elements 0.18914
published_at 2026-04-08T12:55:00Z
17
value 0.0006
scoring_system epss
scoring_elements 0.18968
published_at 2026-04-09T12:55:00Z
18
value 0.00063
scoring_system epss
scoring_elements 0.19486
published_at 2026-05-12T12:55:00Z
19
value 0.00078
scoring_system epss
scoring_elements 0.23126
published_at 2026-05-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-1605
2
reference_url https://github.com/jetty/jetty.project
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jetty/jetty.project
3
reference_url https://github.com/jetty/jetty.project/issues/14260
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jetty/jetty.project/issues/14260
4
reference_url https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-05T14:46:07Z/
url https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
5
reference_url https://gitlab.eclipse.org/security/cve-assignment/-/issues/79
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://gitlab.eclipse.org/security/cve-assignment/-/issues/79
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-1605
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-1605
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2444815
reference_id 2444815
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2444815
8
reference_url https://github.com/advisories/GHSA-xxh7-fcf3-rj7f
reference_id GHSA-xxh7-fcf3-rj7f
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xxh7-fcf3-rj7f
9
reference_url https://access.redhat.com/errata/RHSA-2026:8509
reference_id RHSA-2026:8509
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8509
Weaknesses
0
cwe_id 400
name Uncontrolled Resource Consumption
description The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
1
cwe_id 401
name Missing Release of Memory after Effective Lifetime
description The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.
2
cwe_id 772
name Missing Release of Resource after Effective Lifetime
description The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
3
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
4
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-daws-9x98-vbbm