CVE-2025-50059: 
Amazon Corretto JDK vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-50059) was discovered in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition's networking component. The affected versions include Oracle Java SE: 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7, 24.0.1; and Oracle GraalVM Enterprise Edition: 21.3.14. The vulnerability was disclosed on July 15, 2025, and was reported by Martin van Wingerden and Violeta Georgieva of Broadcom (Oracle CPU).

The vulnerability is characterized by improper HTTP client header handling in the networking component. It received a CVSS 3.1 Base Score of 8.6, indicating a high severity level. The vulnerability is classified with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, which indicates network accessibility, low attack complexity, no privileges required, no user interaction needed, changed scope, and high impact on confidentiality (NVD).

The successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition accessible data. The vulnerability primarily affects confidentiality, with no direct impact on integrity or availability (NVD).

Oracle has released patches as part of its July 2025 Critical Patch Update. The vulnerability has been fixed in the following versions: Oracle Java SE (8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1), Oracle GraalVM for JDK (17.0.15, 21.0.7, 24.0.1), and Oracle GraalVM Enterprise Edition (21.3.14). Red Hat has also released security updates to address this vulnerability in their OpenJDK packages (RHSA).