Eclipse Eclipse

  1. Vendors
  2. Eclipse

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Eclipse product.

RSS Feeds for Eclipse security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Eclipse products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Eclipse Sorted by Most Security Vulnerabilities since 2018

Eclipse Jetty37 vulnerabilities
Jetty is a HTTP Server and Servlet Container

Eclipse Openj920 vulnerabilities

Eclipse Mosquitto20 vulnerabilities

Eclipse Glassfish10 vulnerabilities

Eclipse Vert X8 vulnerabilities

Eclipse Threadx Netx Duo7 vulnerabilities

Eclipse Threadx5 vulnerabilities

Eclipse Omr5 vulnerabilities

Eclipse Kura4 vulnerabilities

Eclipse Jgit3 vulnerabilities

Eclipse Cyclone Data Distribution Service3 vulnerabilities

Eclipse Open Vsx2 vulnerabilities

Eclipse Parsson2 vulnerabilities

Eclipse Dataspace Components2 vulnerabilities

Eclipse Target Management1 vulnerability

Eclipse Ditto1 vulnerability

Eclipse Edc Connector1 vulnerability

Eclipse Jakarta Mail1 vulnerability

Eclipse Nextx Duo1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Eclipse. Last year, in 2025 Eclipse had 49 security vulnerabilities published. Right now, Eclipse is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 49 7.24
2024 23 6.72
2023 24 6.88
2022 18 6.97
2021 35 7.14
2020 13 7.65
2019 34 7.50
2018 15 7.96

It may take a day or so for new Eclipse vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Eclipse Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-2515 Dec 24, 2025
BlueChi rootpriv escalation by overwrite systemd units on RHIVOS A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS. This flaw allows a user with root privileges on a managed node (qm) to create or override systemd service unit files that affect the host node. This issue can lead to privilege escalation, unauthorized service execution, and potential system compromise.
CVE-2025-14549 Dec 15, 2025
Eclipse OMR 0.8.0: UTF-8 NUL truncation bug fixed (Z processors) In the Eclipse OMR compiler component, since release 0.7.0, an optimization enabled for Eclipse OpenJ9 consumers of OMR on Z processors incorrectly handles NUL (0x00) characters during the Latin-compatible charset (UTF-8, ISO8859-1, ASCII, etc) to IBM-1047/037 translation sequence. This can cause the output byte array to be truncated, discarding the first NUL byte and all subsequent characters, and thereby exposing a possible buffer over-read problem. This issue is fixed in Eclipse OMR version 0.8.0.
Omr
CVE-2025-10543 Dec 02, 2025
Eclipse Paho Go MQTT <=1.5.0: UTF-8 Length Overflow in PUBLISH Packets In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet). The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body).
CVE-2025-12383 Nov 18, 2025
Eclipse Jersey 2.45/3.0.16/3.1.9 Race Cond Ignoring SSL Configs In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)
CVE-2025-11965 Oct 22, 2025
Eclipse Vert.x StaticHandler flaw: hidden dirs not blocked v4.0.0-5.0.4 In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config').
Vert X
CVE-2025-11966 Oct 22, 2025
Stored XSS via Unescaped Filenames in Vert.x Directory Listing (4.0-5.0) In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.
Vert X
CVE-2025-55086 Oct 20, 2025
NetXDuo <6.4.4 DHCPV6 OOM via Unchecked DUID Index In NetXDuo version before 6.4.4, a networking support module for Eclipse Foundation ThreadX, in the DHCPV6 client there was an unchecked index extracting the server DUID from the server reply. With a crafted packet, an attacker could cause an out of memory read.
CVE-2025-55085 Oct 17, 2025
NextX Duo <6.4.4 HTTP Header Parse Bypass (UB) In NextX Duo before 6.4.4, in the HTTP client module, the network support code for Eclipse Foundation ThreadX, the parsing of HTTP header fields was missing bounds verification. A crafted server response could cause undefined behavior.
CVE-2025-55087 Oct 17, 2025
Out-of-Bound Read in NextX Duo SNMP Addon (<6.4.4) via SNMPv3 Params In NextX Duo's snmp addon versions before 6.4.4, a part of the Eclipse Foundation ThreadX, an attacker could cause an out-of-bound read by a crafted SNMPv3 security parameters.
Nextx Duo
CVE-2025-55100 Oct 17, 2025
USBX <6.4.3 OOB Read in _ux_host_class_audio10_sam_parse_func() Eclipse In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio10_sam_parse_func() when parsing a list of sampling frequencies.
CVE-2025-55099 Oct 17, 2025
USBX OOB Read in _ux_host_class_audio_alternate_setting_locate before 6.4.3 In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_alternate_setting_locate() when parsing a descriptor with attacker-controlled frequency fields.
CVE-2025-55098 Oct 17, 2025
USBX OOB Read in _ux_host_class_audio_device_type_get() before 6.4.3 In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_device_type_get() when parsing a descriptor of an USB audio device.
CVE-2025-55097 Oct 17, 2025
USBX <6.4.3 OOB Read in _ux_host_class_audio_streaming_sampling_get() In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_streaming_sampling_get() when parsing a descriptor of an USB streaming device.
CVE-2025-55096 Oct 17, 2025
USBX<=6.4.2 OOB Read in HID Descriptor Parsing In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_hid_report_descriptor_get()  when parsing a descriptor of an USB HID device.
CVE-2025-55094 Oct 17, 2025
NetX Duo 6.4.4 OOB Read in _nx_icmpv6_validate_options ICMP6 options In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_icmpv6_validate_options() when handling a packet with ICMP6 options.
CVE-2025-55093 Oct 17, 2025
NetX Duo <6.4.4 OOB Read in _nx_ipv4_packet_receive ThreadX networking module In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() when handling unicast DHCP messages that could cause corruption of 4 bytes of memory.
CVE-2025-55092 Oct 17, 2025
NetX Duo <6.4.4 OOB Read in IPv4 Timestamp Option In Eclipse Foundation NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_option_process() when processing an IPv4 packet with the timestamp option.
CVE-2025-55091 Oct 16, 2025
NetX Duo (<=6.4.3) OOB Read in _nx_ip_packet_receive() In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ip_packet_receive() function when received an Ethernet with type set as IP but no IP data.
CVE-2025-55090 Oct 16, 2025
NetX Duo <6.4.4 OOB Read in _nx_ipv4_packet_receive() potential memory leak In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() function when received an Ethernet frame with less than 4 bytes of IP packet.
CVE-2025-55089 Oct 16, 2025
Buf overflow in FileX <6.4.2 causing remote execution In FileX before 6.4.2, the file support module for Eclipse Foundation ThreadX, there was a possible buffer overflow in the FileX RAM disk driver. It could cause a remote execurtion after receiving a crafted sequence of packets
CVE-2025-55084 Oct 16, 2025
NetX Duo <6.4.4: Incorrect bound check in TLS ext. version field (ThreadX) In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check in_nx_secure_tls_proc_clienthello_supported_versions_extension() in the extension version field.
CVE-2025-55083 Oct 15, 2025
OOB Read in NetX Duo <6.4.4 via Eclipse ThreadX In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check resulting it out by two out of bound read.
CVE-2025-55082 Oct 15, 2025
NetX Duo <6.4.4: OOB Read in ThreadX TLS PSK ClientHello In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was a potential out of bound read in _nx_secure_tls_process_clienthello() because of a missing validation of PSK length provided in the user message.
CVE-2025-55081 Oct 15, 2025
Eclipse NextX Duo <6.4.4 OOB Read via Missing Length Check in TLS Client Hello In Eclipse Foundation NextX Duo before 6.4.4, a module of ThreadX, the _nx_secure_tls_process_clienthello() function was missing length verification of certain SSL/TLS client hello message: the ciphersuite length and compression method length. In case of an attacker-crafted message with values outside of the expected range, it could cause an out-of-bound read.
CVE-2025-55080 Oct 15, 2025
ThreadX <6.4.3 Arbitrary Mem Read/Write via Weak Syscall Verification In Eclipse ThreadX before 6.4.3, when memory protection is enabled, syscall parameters verification wasn't enough, allowing an attacker to obtain an arbitrary memory read/write.
Threadx
CVE-2025-55079 Oct 15, 2025
ThreadX DoS via Thread Priority Escalation (<6.4.3) In Eclipse ThreadX before version 6.4.3, the thread module has a setting of maximum priority. In some cases the check of that maximum priority wasn't performed, allowing, as a result, to obtain a thread with higher priority than expected and causing a possible denial of service.
Threadx
CVE-2025-55078 Oct 14, 2025
Eclipse ThreadX <6.4.3: DoS via Unchecked Memory Pointer In Eclipse ThreadX before version 6.4.3, an attacker can cause a denial of service (crash) by providing a pointer to a reserved or unmapped memory region. Vulnerable system calls had a check of pointers, but that check wasn't verifying whether the pointer is outside the module memory region.
Threadx
CVE-2025-7962 Jul 21, 2025
Jakarta Mail 2.0.2 SMTP Injection via UTF-8 CR/NL In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.
Jakarta Mail
CVE-2024-9408 Jul 16, 2025
GlassFish 6.2.5+ SSRF in specific endpoints In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints.
Glassfish
CVE-2024-9343 Jul 16, 2025
Eclipse GlassFish 7.0.15 S2S XSS in Admin Console In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console.
Glassfish
CVE-2024-9342 Jul 16, 2025
Eclipse GlassFish <=7.0.16 Brute Force Login In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts.
Glassfish
CVE-2024-10032 Jul 16, 2025
Eclipse GlassFish 7.0.15: Stored XSS in Admin Console In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console.
Glassfish
CVE-2024-10031 Jul 16, 2025
Eclipse GlassFish 7.0.15 Stored XSS via OS config file mod In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting attacks by modifying the configuration file in the underlying operating system.
Glassfish
CVE-2024-10029 Jul 16, 2025
Eclipse GlassFish 7.0.15 Reflected XSS in Admin Console In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in the Administration Console.
Glassfish
CVE-2025-6705 Jun 27, 2025
Eclipse Open VSX: Unauthorized Extension Uploads via Unisolated Build Scripts A vulnerability in the Eclipse Open VSX Registrys automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the systems build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled the publishing of new extension versions under any namespace, including those not controlled by an attacker. However, it did not permit deletion of existing extensions, overwriting of published versions, or access to administrative features of the registry. The issue was reported on May 4, 2025, fully resolved by June 24, and followed by a comprehensive audit. No evidence of compromise was found, though 81 extensions were proactively deactivated as a precaution. The standard publishing process remained unaffected. Recommendations have been issued to mitigate similar risks in the future.
Open Vsx
CVE-2025-4949 May 21, 2025
Eclipse JGit XXE in ManifestParser & AmazonS3 before 7.2.0.202503040940-r In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
Jgit
CVE-2025-4447 May 09, 2025
Eclipse OpenJ9 <0.51: Stack Buffer Overflow via Disk File on JVM Startup In Eclipse OpenJ9 versions up to 0.51, when used with OpenJDK version 8 a stack based buffer overflow can be caused by modifying a file on disk that is read when the JVM starts.
Openj9
CVE-2024-13009 May 08, 2025
Jetty 9.4.x Gzip Inflate Buffer Release Vulnerability In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
Jetty
CVE-2025-1948 May 08, 2025
Jetty HTTP/2 Server OOM via SETTINGS_MAX_HEADER_LIST_SIZE (12.0.0-12.0.16) In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
Jetty
CVE-2025-2258 Apr 06, 2025
NetX Duo HTTP int underflow DOS before v6.4.3 In NetX Duo component HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length smaller than the data request size. A possible workaround is to disable HTTP PUT support. This issue follows an uncomplete fix in CVE-2025-0728.
Threadx Netx Duo
CVE-2025-2259 Apr 06, 2025
Eclipse ThreadX NetX Duo <6.4.3 HTTP int underflow DoS In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length in one packet smaller than the data request size of the other packet. A possible workaround is to disable HTTP PUT support. This issue follows an incomplete fix of CVE-2025-0727
Threadx Netx Duo
CVE-2025-2260 Apr 06, 2025
NetX Duo HTTP DoS via Missing File Closure before v6.4.3 (Eclipse ThreadX) In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause a denial of service by specially crafted packets. The core issue is missing closing of a file in case of an error condition, resulting in the 404 error for each further file request. Users can work-around the issue by disabling the PUT request support. This issue follows an incomplete fix of CVE-2025-0726.
Threadx Netx Duo
CVE-2024-10838 Mar 12, 2025
Unauthenticated OOB Heap Read via Integer Underflow in Deserialization An integer underflow during deserialization may allow any unauthenticated user to read out of bounds heap memory. This may result into secret data or pointers revealing the layout of the address space to be included into a deserialized data structure, which may potentially lead to thread crashes or cause denial of service conditions.
Cyclone Data Distribution Service
CVE-2025-1471 Feb 21, 2025
Eclipse OMR <=0.4.0 Buffer Overflow in Z/OS ATOE Print Functions In Eclipse OMR versions 0.2.0 to 0.4.0, some of the z/OS atoe print functions use a constant length buffer for string conversion. If the input format string and arguments are larger than the buffer size then buffer overflow occurs. Beginning in version 0.5.0, the conversion buffers are sized correctly and checked appropriately to prevent buffer overflows.
Omr
CVE-2025-1470 Feb 21, 2025
Null Ptr Deref in Eclipse OMR OAE atoe lib (pre v0.5.0) In Eclipse OMR, from the initial contribution to version 0.4.0, some OMR internal port library and utilities consumers of z/OS atoe functions do not check their return values for NULL memory pointers or for memory allocation failures. This can lead to NULL pointer dereference crashes. Beginning in version 0.5.0, internal OMR consumers of atoe functions handle NULL return values and memory allocation failures correctly.
Omr
CVE-2025-0728 Feb 21, 2025
NetX Duo <6.4.2 HTTP Integer Underflow/DoS In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length smaller than the data request size. A possible workaround is to disable HTTP PUT support.
Threadx Netx Duo
CVE-2025-0727 Feb 21, 2025
NetX Duo <6.4.2 HTTP Server Integer Underflow DoS via PUT In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length in one packet smaller than the data request size of the other packet. A possible workaround is to disable HTTP PUT support.
Threadx Netx Duo
CVE-2025-0726 Feb 21, 2025
NetX Duo <6.4.2 HTTP Server DoS via PUT File Leak In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause a denial of service by specially crafted packets. The core issue is missing closing of a file in case of an error condition, resulting in the 404 error for each further file request. Users can work-around the issue by disabling the PUT request support.
Threadx Netx Duo
CVE-2025-1007 Feb 19, 2025
OpenVSX 0.9.00.20.0: namespace API leaks privilege escalation In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/{namespace}/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in /user/namespace/{namespace}/details/logo and allowed a user to change the logo.
Open Vsx
CVE-2024-10917 Nov 11, 2024
Eclipse OpenJ9 JNI GetStringUTFLength Function Incorrect Value Return Vulnerability In Eclipse OpenJ9 versions up to 0.47, the JNI function GetStringUTFLength may return an incorrect value which has wrapped around. From 0.48 the value is correct but may be truncated to include a smaller number of characters.
Openj9
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.