CVE-2025-11143

ADVISORY - github

Summary

The Jetty URI parser has some key differences compared to other common parsers when evaluating invalid or unusual URIs. Specifically:

Invalid Scheme

URI	Jetty	uri-js (nodejs)	node-url(nodejs)
`https>://vulndetector.com/path`	scheme=`http>`	scheme=`https`	invalid URI

Improper IPv4 mapped IPv6

URI	Jetty	System.Uri(CSharp)	curl(C)
`http://[0:0:0:0:0:ffff:127.0.0.1]`	invalid	host=`[::ffff:127.0.0.1]`	host=`[::ffff:127.0.0.1]`
`http://[::ffff:255.255.0.0]`	invalid	host=`[::ffff:255.255.0.0]`	host=`[::ffff:255.255.0.0]`

Incorrect IPv6 delimeter priority

URI	Jetty	urllib3(python)	furl(python)	Spring	chromium
`http://[normal.com@]vulndetector.com/`	host=`[normal.com@]`	invalid	invalid
`http://normal.com[user@vulndetector].com/`	host=`[noirmal.com@vulndetector			host=`normal.com`	invalid
`http://normal.com[@]vulndetector.com/`	host=`normal.com[@]			host=`normal.com`	invalid

Incorrect delimeter priority

URI	Jetty	urllib3(python)	jersey
`http://normal.com/#@vulndetector.com`	host=`vulndetector.com`	host=`normal.com`	host=`normal.com`
`http://normal.com/?@vulndetector.com`	host=`vulndetector.com`	host=`normal.com`	host=`normal.com`

Impact

Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

Patches

Patched in Supported Open Source versions.

12.1.5 - Supported and available on Maven Central
12.0.31 - Supported and available on Maven Central
11.0.x - EOL Release, patches available on tuxcare and herodevs
10.0.x - EOL Release, patches available on tuxcare and herodevs
9.4.x - EOL Release, patches available on tuxcare and herodevs

Workarounds

None

Resources

EPSS Score⁠: 0.00043 (0.129)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-20⁠

Improper Input Validation

ADVISORY - github

CWE-20⁠

Improper Input Validation

ADVISORY - redhat

CWE-444⁠

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Impacted images

Advisories

NIST

CREATED

2 days ago

UPDATED

11 hours ago

ADVISORY IDCVE-2025-11143⁠

EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-20⁠

CVSS SCORE

3.7low

GitHub

CREATED

1 day ago

UPDATED

1 day ago

ADVISORY IDGHSA-wjpw-4j6x-6rwh⁠

EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-20⁠

CVSS SCORE

3.7low

Debian

CREATED

23 hours ago

UPDATED

23 hours ago

ADVISORY IDCVE-2025-11143⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

2 days ago

UPDATED

2 days ago

ADVISORY IDCVE-2025-11143⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Red Hat

CREATED

2 days ago

UPDATED

1 day ago

ADVISORY IDCVE-2025-11143⁠

EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-444⁠

CVSS SCORE

3.7low

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-24g4-5f56-8qg6

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-2vmv-xgcx-65wf

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-3r8f-wmv2-78xx

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-45q5-q8m7-q8xj

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-8jp7-6h25-6cww

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-c5gx-cph7-3xw7

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-cxmw-hcch-chm5

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-jx78-qx5f-qqr9

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-p98w-42c5-wwvf

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-pc67-9895-wf9r

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-q7rc-c6mj-865q

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-rrff-9p3v-h2wj

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-vrgm-6vjq-wm36

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-x4gj-qhfm-cm6w

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-xhgq-j29r-93q5

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY