Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/CVE-2025-11143.md

Created March 6, 2026 02:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/8569561b22b7d13bca8c3f78f9e53d1f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/8569561b22b7d13bca8c3f78f9e53d1f to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2025-11143: CVE-2025-11143: URI Parsing Differential in Eclipse Jetty - CVE Security Report
Raw
CVE-2025-11143.md

CVE-2025-11143: CVE-2025-11143: URI Parsing Differential in Eclipse Jetty

CVSS Score: 3.7 Published: 2026-03-05 Full Report: https://cvereports.com/reports/CVE-2025-11143

Summary

A URI parsing vulnerability exists in Eclipse Jetty's HttpURI class where the parser's state machine deviates from RFC 3986 standards. This discrepancy leads to differential parsing issues, specifically regarding the prioritization of delimiters (such as #, ?, and @) and the validation of URI schemes. Attackers can leverage these inconsistencies to craft URIs that are interpreted differently by Jetty than by intermediary security devices (WAFs, load balancers), potentially leading to protection bypasses, host confusion, or Server-Side Request Forgery (SSRF) scenarios.

TL;DR

Eclipse Jetty incorrectly parses URIs containing specific delimiter combinations (e.g., # followed by @), allowing attackers to manipulate the perceived host or path. This 'parser differential' allows malicious requests to bypass upstream security filters.

Technical Details

  • CWE ID: CWE-20
  • Attack Vector: Network
  • CVSS Score: 3.7 (Low)
  • EPSS Score: 0.00043 (12.87%)
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • Eclipse Jetty 9.4.0 through 9.4.58
  • Eclipse Jetty 10.0.0 through 10.0.26
  • Eclipse Jetty 11.0.0 through 11.0.26
  • Eclipse Jetty 12.0.0 through 12.0.30
  • Eclipse Jetty 12.1.0 through 12.1.4
  • Eclipse Jetty: 9.4.0 - 9.4.58 (Fixed in: 9.4.59)
  • Eclipse Jetty: 10.0.0 - 10.0.26 (Fixed in: 10.0.27)
  • Eclipse Jetty: 11.0.0 - 11.0.26 (Fixed in: 11.0.27)
  • Eclipse Jetty: 12.0.0 - 12.0.30 (Fixed in: 12.0.31)
  • Eclipse Jetty: 12.1.0 - 12.1.4 (Fixed in: 12.1.5)

Mitigation

  • Update Eclipse Jetty to the latest patched version.
  • Implement strict URI normalization at the reverse proxy level, ensuring requests are rejected if they contain ambiguous delimiter combinations.
  • Configure WAF rules to detect and block URIs containing userinfo delimiters (@) appearing after fragment (#) or query (?) markers.

Remediation Steps:

  1. Identify the version of Eclipse Jetty currently deployed (e.g., via java -jar start.jar --version or checking dependency trees).
  2. Update the dependency to one of the fixed versions: 9.4.59, 10.0.27, 11.0.27, 12.0.31, or 12.1.5.
  3. If using a standalone distribution, download the latest tarball/zip from the official Eclipse download page and migrate configuration files.
  4. Restart the Jetty service to apply the changes.

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment