CVE-2025-11143: org.eclipse.jetty:jetty-http has different parsing of invalid URIs
The Jetty URI parser has some key differences compared to other common parsers when evaluating invalid or unusual URIs. Specifically:
References
- github.com/advisories/GHSA-wjpw-4j6x-6rwh
- github.com/jetty/jetty.project
- github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh
- github.com/user-attachments/files/22222625/Java.Eclipse.Jetty.Report_.Incorrect.Parsing.Priority.of.the.IPv6.Hostname.Delimeter.pdf
- github.com/user-attachments/files/22222626/Java.Eclipse.Jetty.Report_.The.Parsing.Priority.of.the.Delimiter.pdf
- github.com/user-attachments/files/22222627/Java.Eclipse.Jetty.Report_.Parsing.Difference.Due.to.Deformed.Scheme.pdf
- github.com/user-attachments/files/22222630/Java.Eclipse.Jetty.Report_.Improper.IPv4-mapped.IPv6.Parsing.pdf
- nvd.nist.gov/vuln/detail/CVE-2025-11143
Code Behaviors & Features
Detect and mitigate CVE-2025-11143 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →