CVE-2025-11143

LOW

Jetty HTTP 9.4.0-9.4.57 - URI Parsing Bypass via Differential Interpretation

Title source: llm

Description

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

References (1)

Core 1

Core References

Vendor Advisory

https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh

Scores

CVSS v3 3.7

EPSS 0.0014

EPSS Percentile 34.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (2)

eclipse/jetty 9.4.0 - 9.4.58

org.eclipse.jetty/jetty-http 9.4.0Maven

Published Mar 05, 2026

Tracked Since Mar 05, 2026