CVE-2025-11143

ADVISORY - github

Summary

The Jetty URI parser has some key differences compared to other common parsers when evaluating invalid or unusual URIs. Specifically:

Invalid Scheme

URI	Jetty	uri-js (nodejs)	node-url(nodejs)
`https>://vulndetector.com/path`	scheme=`http>`	scheme=`https`	invalid URI

Improper IPv4 mapped IPv6

URI	Jetty	System.Uri(CSharp)	curl(C)
`http://[0:0:0:0:0:ffff:127.0.0.1]`	invalid	host=`[::ffff:127.0.0.1]`	host=`[::ffff:127.0.0.1]`
`http://[::ffff:255.255.0.0]`	invalid	host=`[::ffff:255.255.0.0]`	host=`[::ffff:255.255.0.0]`

Incorrect IPv6 delimeter priority

URI	Jetty	urllib3(python)	furl(python)	Spring	chromium
`http://[normal.com@]vulndetector.com/`	host=`[normal.com@]`	invalid	invalid
`http://normal.com[user@vulndetector].com/`	host=`[noirmal.com@vulndetector			host=`normal.com`	invalid
`http://normal.com[@]vulndetector.com/`	host=`normal.com[@]			host=`normal.com`	invalid

Incorrect delimeter priority

URI	Jetty	urllib3(python)	jersey
`http://normal.com/#@vulndetector.com`	host=`vulndetector.com`	host=`normal.com`	host=`normal.com`
`http://normal.com/?@vulndetector.com`	host=`vulndetector.com`	host=`normal.com`	host=`normal.com`

Impact

Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.