CVE-2025-11143

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:eclipse:jetty::::::::
	cpe:2.3:a:eclipse:jetty::::::::
	cpe:2.3:a:eclipse:jetty::::::::
	cpe:2.3:a:eclipse:jetty::::::::
	cpe:2.3:a:eclipse:jetty::::::::

History

06 Mar 2026, 20:30

Type	Values Removed	Values Added
References	~~() https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh -~~	() https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh - Vendor Advisory
First Time		Eclipse jetty Eclipse
CPE		cpe:2.3:a:eclipse:jetty::::::::

05 Mar 2026, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 10:15

Updated : 2026-03-06 20:30

NVD link : CVE-2025-11143

Mitre link : CVE-2025-11143

CVE.ORG link : CVE-2025-11143

JSON object : View

Products Affected

eclipse

jetty

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2025-11143", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "emo@eclipse.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2026-03-05T10:15:54.680", "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh", "tags": ["Vendor Advisory"], "source": "emo@eclipse.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "emo@eclipse.org", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs.\u00a0Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response.\u00a0At the very least, differential parsing may divulge implementation details."}], "lastModified": "2026-03-06T20:30:58.117", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D6BB4322-1158-46D7-8A04-2B4FBC3941A4", "versionEndIncluding": "9.4.58", "versionStartIncluding": "9.4.0"}, {"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "56F09A5B-49C1-406A-B4F6-D6F2D3FA660E", "versionEndIncluding": "10.0.26", "versionStartIncluding": "10.0.0"}, {"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B1CFB36-11A3-449E-BDDF-7837CE9E1511", "versionEndIncluding": "11.0.26", "versionStartIncluding": "11.0.0"}, {"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FDBDC172-58CA-4579-8A14-05977FE1E453", "versionEndExcluding": "12.0.31", "versionStartIncluding": "12.0.0"}, {"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E18C4D9-4B42-40A6-9630-F844F0C83910", "versionEndExcluding": "12.1.5", "versionStartIncluding": "12.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "emo@eclipse.org"}