In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.

Affected Packages

Maven org.eclipse.jetty:jetty-server

Affected versions: 9.4.0 (fixed in 9.4.12.v20180830)

Maven org.eclipse.jetty:jetty-server

Affected versions: 9.3.0 (fixed in 9.3.25.v20180904)

Related CVEs

CVE-2018-12545

Key Information

GHSA ID

GHSA-h2f4-v4c4-6wx4

Published

March 28, 2019 6:33 PM

Last Modified

September 17, 2022 12:33 AM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.eclipse.jetty:jetty-server

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.