CVE-2025-1948: 
Java vulnerability analysis and mitigation

In Eclipse Jetty versions 12.0.0 to 12.0.16, a critical vulnerability (CVE-2025-1948) was identified where an HTTP/2 client can specify an extremely large value for the HTTP/2 settings parameter SETTINGSMAXHEADERLISTSIZE. This vulnerability was discovered and disclosed on May 8, 2025, affecting the Jetty HTTP/2 server component (Eclipse Advisory, CVE Details).

The vulnerability stems from the Jetty HTTP/2 server's failure to validate the SETTINGSMAXHEADERLISTSIZE parameter. When a client specifies a large value, the server attempts to allocate a ByteBuffer of the specified capacity to encode HTTP responses. The vulnerability has been assigned CWE-400 (Uncontrolled Resource Consumption) and received a CVSS v3.1 score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Eclipse Advisory, CVE Assignment).

The exploitation of this vulnerability can result in OutOfMemoryError being thrown or, in more severe cases, cause the JVM process to exit completely. This can lead to service disruption and potential denial of service conditions for affected Jetty servers (Eclipse Advisory).

The vulnerability has been patched in Eclipse Jetty version 12.0.17. No workarounds are available for affected versions, making upgrading to the patched version the only solution (Eclipse Advisory).

The vulnerability was initially reported by Bjørn Seime from Vespa.ai, highlighting the collaborative security research efforts within the Java ecosystem (Eclipse Advisory).