CVE-2025-1948 Overview
CVE-2025-1948 is a resource exhaustion vulnerability affecting Eclipse Jetty versions 12.0.0 through 12.0.16. The vulnerability exists in the HTTP/2 server implementation where an attacker can specify an excessively large value for the SETTINGS_MAX_HEADER_LIST_SIZE HTTP/2 settings parameter. The Jetty HTTP/2 server fails to validate this setting and attempts to allocate a ByteBuffer of the specified capacity to encode HTTP responses, which can result in an OutOfMemoryError being thrown or even cause the JVM process to exit entirely.
Critical Impact
Remote attackers can crash Jetty-based applications by exhausting server memory through malicious HTTP/2 SETTINGS frames, causing denial of service without authentication.
Affected Products
- Eclipse Jetty versions 12.0.0 through 12.0.16
Discovery Timeline
- 2025-05-08 - CVE-2025-1948 published to NVD
- 2025-07-31 - Last updated in NVD database
Technical Details for CVE-2025-1948
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). The core issue lies in the Jetty HTTP/2 server's handling of the SETTINGS_MAX_HEADER_LIST_SIZE parameter during HTTP/2 connection negotiation. When an HTTP/2 client sends a SETTINGS frame, it can include this parameter to indicate the maximum size of header list it is willing to accept. The Jetty server incorrectly trusts this client-provided value without any upper-bound validation and uses it to allocate memory for encoding HTTP response headers.
An attacker can exploit this by establishing an HTTP/2 connection and sending a SETTINGS frame with an extremely large SETTINGS_MAX_HEADER_LIST_SIZE value. When the server attempts to respond, it tries to allocate a ByteBuffer matching this size, leading to immediate memory exhaustion on the server. This attack requires no authentication and can be executed remotely over the network.
Root Cause
The root cause is improper input validation in the Jetty HTTP/2 server's settings handling code. The server accepts and uses client-provided SETTINGS_MAX_HEADER_LIST_SIZE values without implementing reasonable maximum bounds or sanity checks. This allows an attacker to control the size of memory allocations on the server, violating the principle of never trusting client-provided data for critical resource decisions.
Attack Vector
The attack is conducted over the network via the HTTP/2 protocol. An attacker initiates an HTTP/2 connection to the vulnerable Jetty server and sends a SETTINGS frame containing an extremely large value (potentially up to the maximum integer value) for SETTINGS_MAX_HEADER_LIST_SIZE. When the server processes any subsequent request and attempts to encode response headers, it allocates a ByteBuffer based on this malicious value, causing immediate memory exhaustion that can crash the JVM process.
The attack requires no user interaction, no authentication, and has low complexity to execute, making it particularly dangerous for internet-facing Jetty deployments.
Detection Methods for CVE-2025-1948
Indicators of Compromise
- Unexpected JVM crashes with OutOfMemoryError in Jetty server logs
- HTTP/2 connections from suspicious sources with abnormally large SETTINGS frames
- Rapid memory consumption spikes coinciding with HTTP/2 connection attempts
- Service availability issues affecting Jetty-based applications
Detection Strategies
- Monitor JVM heap memory usage for sudden spikes during HTTP/2 connection establishment
- Implement network-level inspection for HTTP/2 SETTINGS frames with unusually large SETTINGS_MAX_HEADER_LIST_SIZE values
- Configure application performance monitoring (APM) to alert on OutOfMemoryError exceptions in Jetty components
- Review HTTP/2 connection logs for patterns of connections that immediately trigger resource exhaustion
Monitoring Recommendations
- Set up alerts for JVM memory usage exceeding normal operational thresholds
- Enable detailed HTTP/2 frame logging in non-production environments to identify attack patterns
- Monitor for repeated connection attempts from single sources that correlate with memory issues
- Implement health check endpoints to detect service degradation quickly
How to Mitigate CVE-2025-1948
Immediate Actions Required
- Upgrade Eclipse Jetty to version 12.0.17 or later immediately
- If immediate upgrade is not possible, consider temporarily disabling HTTP/2 support and using HTTP/1.1 only
- Implement network-level controls to rate-limit new HTTP/2 connections from individual sources
- Review and strengthen JVM memory configuration to limit maximum heap size as a defensive measure
Patch Information
Eclipse has released a fix for this vulnerability. Users should upgrade to Jetty version 12.0.17 or later, which includes proper validation of the SETTINGS_MAX_HEADER_LIST_SIZE parameter. Detailed patch information is available in the GitHub Security Advisory. Additional tracking information can be found at the Eclipse GitLab CVE Issue.
Workarounds
- Disable HTTP/2 support temporarily by configuring Jetty to accept only HTTP/1.1 connections
- Deploy a reverse proxy or web application firewall (WAF) in front of Jetty that can inspect and filter HTTP/2 SETTINGS frames
- Implement connection rate limiting at the network level to reduce the impact of repeated attack attempts
- Configure JVM memory limits to prevent complete system compromise, though this does not prevent the denial of service
# Configuration example - Disable HTTP/2 in Jetty (temporary workaround)
# In jetty-http2.xml or equivalent configuration, remove or comment out HTTP/2 connector
# Alternatively, configure your reverse proxy to only forward HTTP/1.1 connections
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
