VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-ugcc-yrb8-9qg6

Essentials
Severities (54)
References (11)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-ugcc-yrb8-9qg6
Aliases	CVE-2025-1948 GHSA-889j-63jv-qhr8
Summary	Eclipse Jetty HTTP/2 client can force the server to allocate a humongous byte buffer that may lead to OoM and subsequently the JVM to exit ### Original Report In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting. ### Impact Remote peers can cause the JVM to crash or continuously report OOM. ### Patches 12.0.17 ### Workarounds No workarounds. ### References https://github.com/jetty/jetty.project/issues/12690
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-400	Uncontrolled Resource Consumption
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1948.json
epss	0.0004	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.0004	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.0004	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.0004	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.0004	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-1948
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-889j-63jv-qhr8
cvssv3.1	7.5	https://github.com/jetty/jetty.project
generic_textual	HIGH	https://github.com/jetty/jetty.project
cvssv3.1	7.5	https://github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bb
generic_textual	HIGH	https://github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bb
cvssv3.1	7.5	https://github.com/jetty/jetty.project/issues/12690
generic_textual	HIGH	https://github.com/jetty/jetty.project/issues/12690
cvssv3.1	7.5	https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
cvssv3.1_qr	HIGH	https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
generic_textual	HIGH	https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
ssvc	Track	https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
cvssv3.1	7.5	https://gitlab.eclipse.org/security/cve-assignement/-/issues/56
generic_textual	HIGH	https://gitlab.eclipse.org/security/cve-assignement/-/issues/56
ssvc	Track	https://gitlab.eclipse.org/security/cve-assignement/-/issues/56
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2025-1948
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-1948

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1948.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-1948
		https://github.com/jetty/jetty.project
		https://github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bb
		https://github.com/jetty/jetty.project/issues/12690
		https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8
		https://gitlab.eclipse.org/security/cve-assignement/-/issues/56
		https://nvd.nist.gov/vuln/detail/CVE-2025-1948
2365137		https://bugzilla.redhat.com/show_bug.cgi?id=2365137
GHSA-889j-63jv-qhr8		https://github.com/advisories/GHSA-889j-63jv-qhr8
RHSA-2025:7696		https://access.redhat.com/errata/RHSA-2025:7696

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1948.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jetty/jetty.project

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jetty/jetty.project/commit/c8c2515936ef968dc8a3cecd9e79d1e69291e4bb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jetty/jetty.project/issues/12690

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T18:31:29Z/ Found at https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://gitlab.eclipse.org/security/cve-assignement/-/issues/56

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T18:31:29Z/ Found at https://gitlab.eclipse.org/security/cve-assignement/-/issues/56

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-1948

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.11596
EPSS Score	0.0004
Published At	May 9, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-05-08T20:52:32.315119+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-889j-63jv-qhr8/GHSA-889j-63jv-qhr8.json	36.0.0