DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-11143: CVE-2025-11143: URI Parsing Differential in Eclipse Jetty

#security #cve #cybersecurity

CVE-2025-11143: URI Parsing Differential in Eclipse Jetty

Vulnerability ID: CVE-2025-11143
CVSS Score: 3.7
Published: 2026-03-05

A URI parsing vulnerability exists in Eclipse Jetty's HttpURI class where the parser's state machine deviates from RFC 3986 standards. This discrepancy leads to differential parsing issues, specifically regarding the prioritization of delimiters (such as #, ?, and @) and the validation of URI schemes. Attackers can leverage these inconsistencies to craft URIs that are interpreted differently by Jetty than by intermediary security devices (WAFs, load balancers), potentially leading to protection bypasses, host confusion, or Server-Side Request Forgery (SSRF) scenarios.

TL;DR

Eclipse Jetty incorrectly parses URIs containing specific delimiter combinations (e.g., # followed by @), allowing attackers to manipulate the perceived host or path. This 'parser differential' allows malicious requests to bypass upstream security filters.

Technical Details

  • CWE ID: CWE-20
  • Attack Vector: Network
  • CVSS Score: 3.7 (Low)
  • EPSS Score: 0.00043 (12.87%)
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • Eclipse Jetty 9.4.0 through 9.4.58
  • Eclipse Jetty 10.0.0 through 10.0.26
  • Eclipse Jetty 11.0.0 through 11.0.26
  • Eclipse Jetty 12.0.0 through 12.0.30
  • Eclipse Jetty 12.1.0 through 12.1.4
  • Eclipse Jetty: 9.4.0 - 9.4.58 (Fixed in: 9.4.59)
  • Eclipse Jetty: 10.0.0 - 10.0.26 (Fixed in: 10.0.27)
  • Eclipse Jetty: 11.0.0 - 11.0.26 (Fixed in: 11.0.27)
  • Eclipse Jetty: 12.0.0 - 12.0.30 (Fixed in: 12.0.31)
  • Eclipse Jetty: 12.1.0 - 12.1.4 (Fixed in: 12.1.5)

Code Analysis

Commit: 28d9af2

Regular handling of bad URIs - fix for parsing differentials

Exploit Details

Mitigation Strategies

  • Update Eclipse Jetty to the latest patched version.
  • Implement strict URI normalization at the reverse proxy level, ensuring requests are rejected if they contain ambiguous delimiter combinations.
  • Configure WAF rules to detect and block URIs containing userinfo delimiters (@) appearing after fragment (#) or query (?) markers.

Remediation Steps:

  1. Identify the version of Eclipse Jetty currently deployed (e.g., via java -jar start.jar --version or checking dependency trees).
  2. Update the dependency to one of the fixed versions: 9.4.59, 10.0.27, 11.0.27, 12.0.31, or 12.1.5.
  3. If using a standalone distribution, download the latest tarball/zip from the official Eclipse download page and migrate configuration files.
  4. Restart the Jetty service to apply the changes.

References

Read the full report for CVE-2025-11143 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)