CVE-2024-13009: 
Java vulnerability analysis and mitigation

In Eclipse Jetty versions 9.4.0 to 9.4.56, a critical vulnerability has been identified where a buffer can be incorrectly released when confronted with a gzip error during request body inflation. The vulnerability, tracked as CVE-2024-13009, was discovered in May 2025 and affects the GzipHandler component of Jetty server. The issue has been assigned a CVSS v3.1 score of 7.2 (High) and is classified as CWE-404 (Improper Resource Shutdown or Release) (Eclipse Advisory, Wiz).

The vulnerability occurs specifically in high-volume environments where the GzipHandler processes both compressed and uncompressed requests. The technical problem manifests when handling uncompressed requests to paths not explicitly set in the includedPaths for the GzipHandler, resulting in incorrect buffer management. The issue has been particularly observed in production environments with high request volumes (Eclipse Advisory, Wiz).

The vulnerability can result in corrupted and/or inadvertent sharing of data between requests. Specifically, a portion of the request body from one request can overwrite a portion of the request body from another request, leading to data leakage and potential security implications. The issue occurs without raising exceptions, making it particularly concerning as both requests appear to be consumed fully (Eclipse Advisory, Wiz).

A temporary workaround involves disabling or not enabling gzip inflation of request body content. For a permanent fix, users should upgrade to Jetty version 9.4.57. Alternatively, organizations can implement a custom GzipHandler that extends Jetty's GzipHandler and bypasses the handler for specific paths where uncompressed requests are expected (Eclipse Advisory, Wiz).