CVE-2025-1948: 
Java vulnerability analysis and mitigation

In Eclipse Jetty versions 12.0.0 to 12.0.16, a critical vulnerability (CVE-2025-1948) was identified where an HTTP/2 client can specify an extremely large value for the HTTP/2 settings parameter SETTINGSMAXHEADERLISTSIZE. The vulnerability was discovered and disclosed on May 8, 2025, affecting the Jetty HTTP/2 server component. The issue has been assigned a CVSS v3.1 score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Eclipse Advisory, Wiz Report).

The vulnerability stems from the Jetty HTTP/2 server's failure to validate the SETTINGSMAXHEADERLISTSIZE parameter. When a client specifies a large value, the server attempts to allocate a ByteBuffer of the specified capacity to encode HTTP responses. The vulnerability has been classified as CWE-400 (Uncontrolled Resource Consumption) (Eclipse Advisory).

The exploitation of this vulnerability can result in OutOfMemoryError being thrown or, in more severe cases, cause the JVM process to exit completely. This can lead to service disruption and potential denial of service conditions for affected Jetty servers (Eclipse Advisory, Wiz Report).

The vulnerability has been patched in Eclipse Jetty version 12.0.17. No workarounds are available for affected versions, making upgrading to the patched version the only solution (Eclipse Advisory).

The vulnerability was initially reported by Bjørn Seime from Vespa.ai, highlighting the collaborative security research efforts within the Java ecosystem (Eclipse Advisory).