CVE-2025-11143: 
Java Analisi e mitigazione delle vulnerabilità

CVE-2025-11143 is a URI differential parsing vulnerability in Eclipse Jetty's jetty-http component, classified as "Different parsing of invalid URIs" (GHSA-wjpw-4j6x-6rwh). The Jetty URI parser handles invalid or unusual URIs differently from other common parsers, which can allow attackers to bypass URI-based security controls (e.g., blacklist filters) or disclose implementation details. Affected versions span Eclipse Jetty 9.4.0–9.4.58, 10.0.0–10.0.26, 11.0.0–11.0.26, 12.0.0–12.0.30, and 12.1.0–12.1.4. The vulnerability was published on March 5, 2026, with patches available in 12.0.31 and 12.1.5. The official CVSS v3.1 score from the Jetty advisory is 3.7 (Low), while NVD assigns 6.5 (Medium) (Github Advisory, Red Hat Advisory).

The root cause is improper input validation (CWE-20) combined with inconsistent interpretation of HTTP requests (CWE-444), manifesting as differential URI parsing behavior. Jetty's parser diverges from other common parsers in at least four documented scenarios: (1) invalid URI schemes (e.g., https>:// parsed as scheme http> by Jetty vs. https by others); (2) improper IPv4-mapped IPv6 addresses accepted by Jetty but rejected as invalid by other parsers; (3) incorrect IPv6 delimiter priority, where Jetty extracts unexpected host values from URIs like http://[normal.com@]vulndetector.com/; and (4) incorrect general delimiter priority, where Jetty resolves http://normal.com/#@vulndetector.com to host vulndetector.com while other parsers resolve it to normal.com. An unauthenticated network attacker can craft malformed URIs that are parsed differently by a security filter component (using one parser) versus the backend Jetty handler, enabling security bypass (Github Advisory).

Successful exploitation allows an unauthenticated remote attacker to bypass URI-based security controls such as blacklist filters, potentially gaining access to restricted endpoints that should be blocked. At minimum, the differential parsing behavior can leak implementation details about the URI parsing logic, aiding further reconnaissance. There is no direct confidentiality or availability impact beyond what is accessible through the bypassed security control; the primary risk is integrity-related unauthorized access to protected resources (Github Advisory, Red Hat Advisory).

Upgrade Eclipse Jetty to a patched version: 12.0.31 or 12.1.5 (available on Maven Central). For end-of-life branches (9.4.x, 10.0.x, 11.0.x), patches are available through commercial support providers TuxCare and HeroDevs. No official workaround exists per the vendor advisory. As a defense-in-depth measure, validate and normalize URIs at multiple points in the application stack rather than relying solely on a single parser, and ensure security filters operate on the same normalized URI representation used by the backend. IBM has released patches for affected products including Sterling Control Center, Operational Decision Manager, EDB PGAI Hybrid Management, and Cloudera Data Platform Private Cloud Base (Github Advisory, IBM Sterling Advisory, Oracle CPU Apr 2026).

The vulnerability was reported by security researchers zer0yu and P3ngu1nW, who produced four detailed technical PDF reports covering each parsing discrepancy scenario (invalid scheme, IPv4-mapped IPv6, IPv6 delimiter priority, and general delimiter priority). Red Hat tracked the issue via Bugzilla with 95 CC'd stakeholders, reflecting broad concern across the Java ecosystem. Oracle included it in the April 2026 Critical Patch Update, and multiple IBM product lines issued security bulletins. The openSUSE security team also issued advisories for affected packages (Github Advisory, Red Hat Bugzilla).