anonhaven
Ad

CVE-2026-1605

HIGH CVSS 3.1: 7.5 EPSS 0.06%
Updated Mar 06, 2026
Eclipse
Parameter Value
CVSS 7.5 (HIGH)
Affected Versions 12.0.0 — 12.1.6
Fixed In 12.0.32
Type CWE-401 (Memory Leak), CWE-400 (Uncontrolled Resource Consumption)
Vendor Eclipse
Public PoC No

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-401 Memory Leak
CWE-400 Uncontrolled Resource Consumption

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Eclipse Jetty
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
 12.0.0 12.0.32
Eclipse Jetty
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
 12.1.0 12.1.6

References 1

https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
emo@eclipse.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2025-11143

Eclipse

6.5

CVE-2026-22886

Elipse

9.8

CVE-2026-0648

Eclipse

6.3

CVE-2025-55102

Eclipse

8.7

CVE-2025-55095

Eclipse

7.0