CVE-2025-5115 Overview
CVE-2025-5115 is a resource exhaustion vulnerability in Eclipse Jetty's HTTP/2 implementation that allows remote attackers to consume excessive server resources (CPU and memory) by forcing the server to generate RST_STREAM frames. An HTTP/2 client can exploit this by sending malformed frames or frames that violate protocol state rules, causing the server to continuously process and respond to invalid requests without exceeding concurrent stream limits.
Critical Impact
Remote attackers can degrade or deny service availability by exhausting server resources through crafted HTTP/2 frame sequences, affecting downstream system availability.
Affected Products
- Eclipse Jetty versions <=9.4.57
- Eclipse Jetty versions <=10.0.25
- Eclipse Jetty versions <=11.0.25
- Eclipse Jetty versions <=12.0.21
- Eclipse Jetty versions <=12.1.0.alpha2
Discovery Timeline
- August 20, 2025 - CVE-2025-5115 published to NVD
- January 27, 2026 - Last updated in NVD database
Technical Details for CVE-2025-5115
Vulnerability Analysis
This vulnerability affects Eclipse Jetty's HTTP/2 server implementation across multiple major version branches. The core issue lies in how Jetty handles malformed or protocol-violating HTTP/2 frames from clients.
According to RFC 9113, when a server receives an illegal WINDOW_UPDATE frame (such as one with a window size increment of 0), it must respond with a RST_STREAM frame. The vulnerability arises because an attacker can exploit this required behavior to force the server to allocate resources for processing each malformed request.
The attack bypasses typical concurrent stream limitations because the attacker opens streams, sends invalid frames, receives RST_STREAM responses, and then repeats the process. This allows the creation of an enormous number of streams in rapid succession while technically staying within concurrent stream limits at any given moment.
Root Cause
The root cause is classified as CWE-400: Uncontrolled Resource Consumption. Jetty's HTTP/2 implementation did not implement adequate rate limiting or resource controls for handling streams that result in RST_STREAM responses. The server dutifully follows the HTTP/2 specification by sending RST_STREAM frames for protocol violations, but this compliance becomes a vector for resource exhaustion when exploited at scale.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability through multiple methods:
Illegal WINDOW_UPDATE Frames: Opening streams and sending WINDOW_UPDATE frames with a window size increment of 0, which violates RFC 9113 and forces RST_STREAM responses.
DATA Frames for Closed Streams: Sending DATA frames targeting streams that have already been closed, triggering error handling and RST_STREAM generation.
Other Protocol Violations: Any frame sequence that violates HTTP/2 state machine rules and requires RST_STREAM responses can be weaponized for this attack.
The attack exploits a gap between per-stream limits and the aggregate resource cost of stream creation/termination cycles.
Detection Methods for CVE-2025-5115
Indicators of Compromise
- Unusual spikes in RST_STREAM frame generation from Jetty servers
- Elevated CPU utilization on servers handling HTTP/2 traffic without corresponding legitimate traffic increases
- Abnormally high stream creation rates from individual client connections
- Memory pressure on Jetty instances correlating with HTTP/2 connection activity
Detection Strategies
- Monitor HTTP/2 connection metrics for streams created per second per connection, alerting on anomalous patterns
- Implement network-level detection for connections sending repeated malformed HTTP/2 frames
- Configure application performance monitoring to track Jetty thread pool exhaustion and memory allocation rates
- Deploy intrusion detection rules to identify WINDOW_UPDATE frames with zero increment values
Monitoring Recommendations
- Enable Jetty's HTTP/2 debug logging during investigation to capture frame-level details
- Track server-side RST_STREAM frame counts as a potential attack indicator
- Monitor connection duration versus stream count ratios for individual clients
- Set up alerting for resource exhaustion patterns in Jetty server metrics
How to Mitigate CVE-2025-5115
Immediate Actions Required
- Upgrade Eclipse Jetty to a patched version immediately: 9.4.58, 10.0.26, 11.0.26, 12.0.25, or 12.1.0
- Review and restrict access to HTTP/2 endpoints from untrusted networks if patching is delayed
- Implement rate limiting at the load balancer or reverse proxy level to throttle connection attempts
- Monitor Jetty server resource utilization closely until patches are applied
Patch Information
Eclipse has released patched versions across all affected version branches. Organizations should upgrade to the following versions:
- Jetty 9.x: Upgrade to version 9.4.58
- Jetty 10.x: Upgrade to version 10.0.26
- Jetty 11.x: Upgrade to version 11.0.26
- Jetty 12.0.x: Upgrade to version 12.0.25
- Jetty 12.1.x: Upgrade to version 12.1.0
Technical details of the fix can be found in the GitHub Pull Request #13449. Additional information is available in the GitHub Security Advisory GHSA-mmxm-8w33-wc4h.
Workarounds
- Disable HTTP/2 support and fall back to HTTP/1.1 if not required for business operations
- Deploy a Web Application Firewall (WAF) or reverse proxy capable of inspecting and filtering HTTP/2 traffic
- Implement connection rate limiting at the network perimeter to reduce attack surface
- Configure resource limits (memory, threads) for Jetty instances to prevent complete exhaustion
# Example: Disable HTTP/2 in Jetty by removing HTTP/2 module
cd $JETTY_BASE
java -jar $JETTY_HOME/start.jar --remove-module=http2
# Or configure connection limits in start.ini
# Add rate limiting properties
jetty.http2.maxConcurrentStreams=100
jetty.http2.maxRequestHeadersSize=8192
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
