CVE-2025-11143: Jetty Auth Bypass Vulnerability

CVE-2025-11143 Overview

The Jetty URI parser contains a vulnerability related to improper input validation (CWE-20) that results in differential parsing behavior when evaluating invalid or unusual URIs. This inconsistency in URI parsing between Jetty and other common parsers can lead to security bypass scenarios in systems that utilize multiple components for URI processing.

When different components in a system interpret URIs differently, security controls such as blacklists or access restrictions may be circumvented. For example, a security component enforcing a blacklist may parse a URI one way while the response-generating component interprets it differently, allowing an attacker to bypass intended restrictions. At minimum, this differential parsing behavior may disclose implementation details about the system architecture.

Critical Impact

Differential URI parsing in Jetty may allow attackers to bypass security controls such as URL blacklists and access restrictions, potentially exposing protected resources or disclosing implementation details.

Affected Products

• Eclipse Jetty (specific versions to be confirmed via security advisory)

Discovery Timeline

• 2026-03-05 - CVE CVE-2025-11143 published to NVD
• 2026-03-05 - Last updated in NVD database

Technical Details for CVE-2025-11143

Vulnerability Analysis

This vulnerability stems from inconsistencies in how the Jetty URI parser handles malformed or edge-case URIs compared to other commonly used URI parsers. In multi-component architectures where different systems process the same URI, these parsing differences create security gaps.

The root issue lies in input validation—specifically, how Jetty interprets certain URI sequences that other parsers might reject or normalize differently. This creates a situation where a security-enforcing component (such as a WAF, reverse proxy, or application-level filter) may allow a request through while Jetty interprets the URI in an unintended manner.

This class of vulnerability is commonly referred to as "HTTP Request Smuggling" or "Parser Differential" attacks and has been observed in various web server implementations over the years.

Root Cause

The vulnerability originates from improper input validation (CWE-20) in Jetty's URI parsing logic. The parser does not handle certain invalid or unusual URI constructs in a manner consistent with other common implementations, leading to divergent interpretations of the same input across different system components.

Attack Vector

The attack vector is network-based, requiring no authentication or user interaction. However, exploitation requires specific conditions where:

1. A target system uses Jetty alongside other URI-processing components
2. Security decisions are made based on URI parsing by a component that interprets URIs differently than Jetty
3. The attacker can craft malformed or unusual URIs that exploit these parsing differences

An attacker would craft specially formatted URIs that appear benign to upstream security components but are interpreted differently by Jetty, potentially bypassing blacklists, access controls, or other security mechanisms. The practical impact depends heavily on the specific deployment architecture and security controls in place.

Detection Methods for CVE-2025-11143

Indicators of Compromise

• Unusual or malformed URI patterns in web server access logs
• Requests containing URI encoding anomalies or non-standard path constructs
• Access to resources that should be blocked by configured blacklists or access controls
• Unexpected variations in how URIs are logged versus how they are processed

Detection Strategies

• Monitor web application logs for URIs containing unusual encoding sequences or path manipulation patterns
• Implement logging at multiple layers (reverse proxy, WAF, application server) and correlate URI interpretations
• Deploy intrusion detection rules to flag requests with known URI parsing bypass patterns
• Use SentinelOne Singularity to monitor for suspicious application behavior resulting from URI manipulation

Monitoring Recommendations

• Enable verbose URI logging in Jetty and compare against upstream component logs
• Configure alerts for discrepancies between security component decisions and actual resource access
• Monitor application error logs for path resolution anomalies
• Implement continuous security scanning to identify potential URI parsing vulnerabilities in deployed configurations

How to Mitigate CVE-2025-11143

Immediate Actions Required

• Review the GitHub Security Advisory for specific remediation guidance
• Audit system architecture to identify components that make security decisions based on URI parsing
• Consider implementing URI normalization at the earliest entry point in your request processing pipeline
• Review access control configurations that rely on URL-based restrictions
• Test existing security controls with malformed URI test cases

Patch Information

Refer to the official GitHub Security Advisory for specific patch information, affected versions, and upgrade instructions. Apply the latest Jetty security updates as soon as they become available.

Workarounds

• Implement consistent URI normalization at the network edge before requests reach Jetty
• Configure reverse proxies or WAFs to reject malformed or unusual URI patterns
• Use allowlist-based access controls rather than blacklists where possible
• Deploy multiple layers of URI validation to reduce reliance on single-component parsing decisions
• Consider implementing custom request filters to sanitize URI input before processing

# Example: Configure Jetty to use strict URI handling (consult documentation for your version)
# Add to start.ini or start.d configuration
--module=http
jetty.httpConfig.uriCompliance=RFC3986