Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.7
Jetty Software May Misinterpret URLs
CVE-2025-11143
GHSA-wjpw-4j6x-6rwh
GHSA-wjpw-4j6x-6rwh
Summary
The Jetty software may incorrectly parse some URLs, which could allow attackers to bypass security checks. This could potentially allow malicious activities on your website or application. You should review and update your Jetty configuration to ensure it is secure and consistent with other systems using the same software.
What to do
- Update eclipse org.eclipse.jetty:jetty-http to version 12.0.31.
- Update eclipse org.eclipse.jetty:jetty-http to version 12.1.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| eclipse | org.eclipse.jetty:jetty-http | > 9.4.0 , <= 9.4.58 | – |
| eclipse | org.eclipse.jetty:jetty-http | > 10.0.0 , <= 10.0.26 | – |
| eclipse | org.eclipse.jetty:jetty-http | > 11.0.0 , <= 11.0.26 | – |
| eclipse | org.eclipse.jetty:jetty-http | > 12.0.0 , <= 12.0.30 | 12.0.31 |
| eclipse | org.eclipse.jetty:jetty-http | > 12.1.0 , <= 12.1.4 | 12.1.5 |
| eclipse | jetty | > 9.4.0 , <= 9.4.58 | – |
| eclipse | jetty | > 10.0.0 , <= 10.0.26 | – |
| eclipse | jetty | > 11.0.0 , <= 11.0.26 | – |
| eclipse | jetty | > 12.0.0 , <= 12.0.31 | – |
| eclipse | jetty | > 12.1.0 , <= 12.1.5 | – |
| eclipse | org.eclipse.jetty:jetty-http | > 12.0.0 , <= 12.0.31 | 12.0.31 |
| eclipse | org.eclipse.jetty:jetty-http | > 12.1.0 , <= 12.1.5 | 12.1.5 |
Original title
org.eclipse.jetty:jetty-http has different parsing of invalid URIs
Original description
The Jetty URI parser has some key differences compared to other common parsers when evaluating invalid or unusual URIs. Specifically:
#### Invalid Scheme
| URI | Jetty | uri-js (nodejs) | node-url(nodejs) |
|---|---|---| --- |
| `https>://vulndetector.com/path` | scheme=`http>`| scheme=`https` | invalid URI |
#### Improper IPv4 mapped IPv6
| URI | Jetty | System.Uri(CSharp) | curl(C) |
|---|---|---| --- |
| `http://[0:0:0:0:0:ffff:127.0.0.1]` | invalid | host=`[::ffff:127.0.0.1]` | host=`[::ffff:127.0.0.1]` |
| `http://[::ffff:255.255.0.0]` | invalid | host=`[::ffff:255.255.0.0]` | host=`[::ffff:255.255.0.0]` |
#### Incorrect IPv6 delimeter priority
| URI | Jetty | urllib3(python) | furl(python) | Spring | chromium |
|---|---|---| --- |---|---|
| `http://[normal.com@]vulndetector.com/` | host=`[normal.com@]` | invalid | invalid | | |
| `http://normal.com[user@vulndetector].com/` | host=`[noirmal.com@vulndetector | | | host=`normal.com` | invalid |
| `http://normal.com[@]vulndetector.com/` | host=`normal.com[@] | | | host=`normal.com` | invalid |
#### Incorrect delimeter priority
| URI | Jetty | urllib3(python) | jersey |
|---|---|---| --- |
| `http://normal.com/#@vulndetector.com` | host=`vulndetector.com` | host=`normal.com` | host=`normal.com` |
| `http://normal.com/[email protected]` | host=`vulndetector.com` | host=`normal.com` | host=`normal.com` |
### Impact
Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response.
At the very least, differential parsing may divulge implementation details.
### Patches
Patched in Supported Open Source versions.
* 12.1.5 - Supported and available on Maven Central
* 12.0.31 - Supported and available on Maven Central
* 11.0.x - EOL Release, patches available on [tuxcare](https://tuxcare.com/) and [herodevs](https://www.herodevs.com/)
* 10.0.x - EOL Release, patches available on [tuxcare](https://tuxcare.com/) and [herodevs](https://www.herodevs.com/)
* 9.4.x - EOL Release, patches available on [tuxcare](https://tuxcare.com/) and [herodevs](https://www.herodevs.com/)
### Workarounds
None
### Resources
+ [Java Eclipse Jetty Report_ Incorrect Parsing Priority of the IPv6 Hostname Delimeter.pdf](https://github.com/user-attachments/files/22222625/Java.Eclipse.Jetty.Report_.Incorrect.Parsing.Priority.of.the.IPv6.Hostname.Delimeter.pdf)
+ [Java Eclipse Jetty Report_ The Parsing Priority of the Delimiter.pdf](https://github.com/user-attachments/files/22222626/Java.Eclipse.Jetty.Report_.The.Parsing.Priority.of.the.Delimiter.pdf)
+ [Java Eclipse Jetty Report_ Parsing Difference Due to Deformed Scheme.pdf](https://github.com/user-attachments/files/22222627/Java.Eclipse.Jetty.Report_.Parsing.Difference.Due.to.Deformed.Scheme.pdf)
+ [Java Eclipse Jetty Report_ Improper IPv4-mapped IPv6 Parsing.pdf](https://github.com/user-attachments/files/22222630/Java.Eclipse.Jetty.Report_.Improper.IPv4-mapped.IPv6.Parsing.pdf)
#### Invalid Scheme
| URI | Jetty | uri-js (nodejs) | node-url(nodejs) |
|---|---|---| --- |
| `https>://vulndetector.com/path` | scheme=`http>`| scheme=`https` | invalid URI |
#### Improper IPv4 mapped IPv6
| URI | Jetty | System.Uri(CSharp) | curl(C) |
|---|---|---| --- |
| `http://[0:0:0:0:0:ffff:127.0.0.1]` | invalid | host=`[::ffff:127.0.0.1]` | host=`[::ffff:127.0.0.1]` |
| `http://[::ffff:255.255.0.0]` | invalid | host=`[::ffff:255.255.0.0]` | host=`[::ffff:255.255.0.0]` |
#### Incorrect IPv6 delimeter priority
| URI | Jetty | urllib3(python) | furl(python) | Spring | chromium |
|---|---|---| --- |---|---|
| `http://[normal.com@]vulndetector.com/` | host=`[normal.com@]` | invalid | invalid | | |
| `http://normal.com[user@vulndetector].com/` | host=`[noirmal.com@vulndetector | | | host=`normal.com` | invalid |
| `http://normal.com[@]vulndetector.com/` | host=`normal.com[@] | | | host=`normal.com` | invalid |
#### Incorrect delimeter priority
| URI | Jetty | urllib3(python) | jersey |
|---|---|---| --- |
| `http://normal.com/#@vulndetector.com` | host=`vulndetector.com` | host=`normal.com` | host=`normal.com` |
| `http://normal.com/[email protected]` | host=`vulndetector.com` | host=`normal.com` | host=`normal.com` |
### Impact
Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response.
At the very least, differential parsing may divulge implementation details.
### Patches
Patched in Supported Open Source versions.
* 12.1.5 - Supported and available on Maven Central
* 12.0.31 - Supported and available on Maven Central
* 11.0.x - EOL Release, patches available on [tuxcare](https://tuxcare.com/) and [herodevs](https://www.herodevs.com/)
* 10.0.x - EOL Release, patches available on [tuxcare](https://tuxcare.com/) and [herodevs](https://www.herodevs.com/)
* 9.4.x - EOL Release, patches available on [tuxcare](https://tuxcare.com/) and [herodevs](https://www.herodevs.com/)
### Workarounds
None
### Resources
+ [Java Eclipse Jetty Report_ Incorrect Parsing Priority of the IPv6 Hostname Delimeter.pdf](https://github.com/user-attachments/files/22222625/Java.Eclipse.Jetty.Report_.Incorrect.Parsing.Priority.of.the.IPv6.Hostname.Delimeter.pdf)
+ [Java Eclipse Jetty Report_ The Parsing Priority of the Delimiter.pdf](https://github.com/user-attachments/files/22222626/Java.Eclipse.Jetty.Report_.The.Parsing.Priority.of.the.Delimiter.pdf)
+ [Java Eclipse Jetty Report_ Parsing Difference Due to Deformed Scheme.pdf](https://github.com/user-attachments/files/22222627/Java.Eclipse.Jetty.Report_.Parsing.Difference.Due.to.Deformed.Scheme.pdf)
+ [Java Eclipse Jetty Report_ Improper IPv4-mapped IPv6 Parsing.pdf](https://github.com/user-attachments/files/22222630/Java.Eclipse.Jetty.Report_.Improper.IPv4-mapped.IPv6.Parsing.pdf)
nvd CVSS3.1
6.5
Vulnerability type
CWE-20
Improper Input Validation
- https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-11143
- https://github.com/user-attachments/files/22222625/Java.Eclipse.Jetty.Report_.In...
- https://github.com/user-attachments/files/22222626/Java.Eclipse.Jetty.Report_.Th...
- https://github.com/user-attachments/files/22222627/Java.Eclipse.Jetty.Report_.Pa...
- https://github.com/user-attachments/files/22222630/Java.Eclipse.Jetty.Report_.Im...
- https://github.com/advisories/GHSA-wjpw-4j6x-6rwh
- https://github.com/jetty/jetty.project Product
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026