Description
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.


This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.
In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
Published: 2026-03-05
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Memory Exhaustion
Action: Apply Patch
AI Analysis

Impact

Eclipse Jetty releases 12.0.0 through 12.0.31 and 12.1.0 through 12.0.5 contain a flaw in the GzipHandler. When a client sends a gzip‑compressed HTTP request while the server is configured to serve uncompressed responses, the JDK Inflater allocated to decompress the request is never released. The undeleted Inflater objects accumulate with each such request, eventually exhausting the JVM heap and causing the server to crash or become unresponsive. The weakness is an uncontrolled resource consumption vulnerability, specifically CWE-400, CWE-401, and CWE-772.

Affected Systems

Vendor: Eclipse Foundation; Product: Eclipse Jetty. Vulnerable releases include Jetty 12.0.0 up to 12.0.31 and Jetty 12.1.0 through 12.0.5. Any deployment using GzipHandler with this configuration and accepting gzip‑encoded requests without an accompanying compressed response is susceptible.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while an EPSS of less than 1 % reflects a low likelihood of exploitation in the wild. The vulnerability is not present in CISA's KEV catalog. The attack vector is over the network via crafted HTTP requests; an attacker only needs the ability to send repeated compressed requests to the server. No privileged or authenticated access is required. If exploited, the attacker can trigger a denial of service by exhausting server memory over time.

Generated by OpenCVE AI on April 17, 2026 at 12:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Eclipse Jetty to a patched release (12.0.32 or later).
  • Reconfigure or disable GzipHandler so that gzip‑encoded requests are not accepted unless the server also serves compressed responses.
  • Implement application‑level rate limiting or monitoring to detect and mitigate repeated compressed requests that could consume excess memory.

Generated by OpenCVE AI on April 17, 2026 at 12:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xxh7-fcf3-rj7f The Eclipse Jetty Server Artifact has a Gzip request memory leak
History

Fri, 06 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse jetty
Vendors & Products Eclipse
Eclipse jetty

Fri, 06 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests
Weaknesses CWE-772
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 05 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
Description In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
Weaknesses CWE-400
CWE-401
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Eclipse Jetty
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-03-05T14:46:16.289Z

Reserved: 2026-01-29T10:58:31.963Z

Link: CVE-2026-1605

cve-icon Vulnrichment

Updated: 2026-03-05T14:46:13.125Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T10:15:56.890

Modified: 2026-03-06T20:16:49.153

Link: CVE-2026-1605

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-05T09:39:01Z

Links: CVE-2026-1605 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:11Z

Weaknesses