Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Jetty Uncontrolled Resource Consumption Vulnerability (CVE-2025-1948)

Description

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.

Remediation

References

Related Vulnerabilities

SharePoint CVE-2020-17115 Vulnerability (CVE-2020-17115)

Ruby Resource Management Errors Vulnerability (CVE-2008-3443)

WordPress Plugin FormGet Contact Form Cross-Site Scripting (5.3)

WordPress Plugin Simple Contact Info Arbitrary File Deletion (1.1.9)

SharePoint Deserialization of Untrusted Data Vulnerability (CVE-2026-40357)

Severity

High

Classification

CVE-2025-1948 CWE-400 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Missing Update Known Vulnerabilities