Jetty HTTP/2 RST_STREAM DoS (9.4.57,10.0.25,11.0.25,12.0.21,12.1.0.alpha2)
CVE-2025-5115 Published on August 20, 2025
MadeYouReset HTTP/2 vulnerability
In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.
For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal.
Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame.
The client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.
The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.
Links:
* https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
Weakness Type
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2025-5115 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2025-5115
Want to know whenever a new CVE is published for Oracle? stack.watch will email you.
Affected Versions
Eclipse Jetty:- Version >=9.3.0, <= <=9.4.57 is affected.
- Version >=10.0.0, <= <=10.0.25 is affected.
- Version >=11.0.0, <= <=11.0.25 is affected.
- Version >=12.0.0, <= <=12.0.21 is affected.
- Version >=12.1.0.alpha0, <= <=12.1.0.alpha2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.