CVE-2025-5115: Eclipse Jetty affected by MadeYouReset HTTP/2 vulnerability
(updated )
The MadeYouReset DDoS vulnerability is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service.
References
- github.com/advisories/GHSA-mmxm-8w33-wc4h
- github.com/jetty/jetty.project
- github.com/jetty/jetty.project/commit/f9ee3904788b08203ed62c95a560d951da37bdb1
- github.com/jetty/jetty.project/pull/13449
- github.com/jetty/jetty.project/releases/tag/jetty-10.0.26
- github.com/jetty/jetty.project/releases/tag/jetty-11.0.26
- github.com/jetty/jetty.project/releases/tag/jetty-12.0.25
- github.com/jetty/jetty.project/releases/tag/jetty-12.1.0
- github.com/jetty/jetty.project/releases/tag/jetty-9.4.58.v20250814
- github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
- nvd.nist.gov/vuln/detail/CVE-2025-5115
Code Behaviors & Features
Detect and mitigate CVE-2025-5115 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →