CVE-2025-11143: 
Java 취약성 분석 및 완화

CVE-2025-11143 is a URI differential parsing vulnerability in Eclipse Jetty's jetty-http component, classified as "Different parsing of invalid URIs" (GHSA-wjpw-4j6x-6rwh). The Jetty URI parser handles invalid or unusual URIs differently from other common parsers, which can allow attackers to bypass URI-based security controls (e.g., blacklist filters) or disclose implementation details. Affected versions span Eclipse Jetty 9.4.0–9.4.58, 10.0.0–10.0.26, 11.0.0–11.0.26, 12.0.0–12.0.30, and 12.1.0–12.1.4. The vulnerability was published on March 5, 2026, with patches available in 12.0.31 and 12.1.5. The official CVSS v3.1 score from the Jetty advisory is 3.7 (Low), while NVD assigns 6.5 (Medium) (Github Advisory, Red Hat Advisory).

The root cause is improper input validation (CWE-20) combined with inconsistent interpretation of HTTP requests (CWE-444), manifesting as differential URI parsing behavior. Jetty's parser diverges from other common parsers in at least four documented scenarios: (1) invalid URI schemes (e.g., https>:// parsed as scheme http> by Jetty vs. https by others); (2) improper IPv4-mapped IPv6 addresses accepted by Jetty but rejected as invalid by other parsers; (3) incorrect IPv6 delimiter priority, where Jetty extracts unexpected host values from URIs like http://[normal.com@]vulndetector.com/; and (4) incorrect general delimiter priority, where Jetty resolves http://normal.com/#@vulndetector.com to host vulndetector.com while other parsers resolve it to normal.com. An unauthenticated network attacker can craft malformed URIs that are parsed differently by a security filter component (using one parser) versus the backend Jetty handler, enabling security bypass (Github Advisory).

Successful exploitation allows an unauthenticated remote attacker to bypass URI-based security controls such as blacklist filters, potentially gaining access to restricted endpoints that should be blocked. At minimum, the differential parsing behavior can leak implementation details about the URI parsing logic, aiding further reconnaissance. There is no direct confidentiality or availability impact beyond what is accessible through the bypassed security control; the primary risk is integrity-related unauthorized access to protected resources (Github Advisory, Red Hat Advisory).

1. Reconnaissance: Identify target applications using Eclipse Jetty (versions 9.4.0–9.4.58, 10.0.0–10.0.26, 11.0.0–11.0.26, 12.0.0–12.0.30, or 12.1.0–12.1.4) as a web server or embedded HTTP component, particularly those with URI-based security filters (e.g., blacklists, access control rules).
2. Identify security filter architecture: Determine whether the application uses a multi-component architecture where one component (e.g., a reverse proxy or WAF) enforces URI-based access controls while Jetty handles the backend response.
3. Craft malformed URI: Construct a URI that exploits one of the known parsing discrepancies — for example, use http://normal.com/#@restricted-endpoint.com or http://[normal.com@]restricted.internal/ to cause the security filter to evaluate the host as normal.com (allowed) while Jetty routes the request to the restricted endpoint.
4. Send crafted request: Submit the malformed URI to the target application. The security filter passes the request as benign, while Jetty's parser resolves it to the restricted resource.
5. Access restricted resource: Receive the response from the restricted endpoint, effectively bypassing the URI-based access control (Github Advisory).

• Network: HTTP requests containing malformed URIs with unusual delimiters such as #@, ?@, [@], or malformed IPv6 addresses (e.g., http://[0:0:0:0:0:ffff:127.0.0.1]) targeting restricted paths; requests where the Host header or URI path contains embedded @ symbols or bracket sequences outside standard IPv6 notation.
• Logs: Jetty access logs showing requests to restricted or internal endpoints from external sources that should have been blocked by upstream security filters; discrepancies between access log entries in a reverse proxy/WAF and Jetty's own access logs for the same request.
• Application: Unexpected access to blacklisted or restricted URI paths recorded in application-level audit logs, particularly from unauthenticated sessions.

Upgrade Eclipse Jetty to a patched version: 12.0.31 or 12.1.5 (available on Maven Central). For end-of-life branches (9.4.x, 10.0.x, 11.0.x), patches are available through commercial support providers TuxCare and HeroDevs. No official workaround exists per the vendor advisory. As a defense-in-depth measure, validate and normalize URIs at multiple points in the application stack rather than relying solely on a single parser, and ensure security filters operate on the same normalized URI representation used by the backend. IBM has released patches for affected products including Sterling Control Center, Operational Decision Manager, EDB PGAI Hybrid Management, and Cloudera Data Platform Private Cloud Base (Github Advisory, IBM Sterling Advisory, Oracle CPU Apr 2026).

The vulnerability was reported by security researchers zer0yu and P3ngu1nW, who produced four detailed technical PDF reports covering each parsing discrepancy scenario (invalid scheme, IPv4-mapped IPv6, IPv6 delimiter priority, and general delimiter priority). Red Hat tracked the issue via Bugzilla with 95 CC'd stakeholders, reflecting broad concern across the Java ecosystem. Oracle included it in the April 2026 Critical Patch Update, and multiple IBM product lines issued security bulletins. The openSUSE security team also issued advisories for affected packages (Github Advisory, Red Hat Bugzilla).