Bug 2444808 (CVE-2025-11143) - CVE-2025-11143 org.eclipse.jetty/jetty-http: org.eclipse.jetty: Security bypass due to differential URI parsing
Summary: CVE-2025-11143 org.eclipse.jetty/jetty-http: org.eclipse.jetty: Security bypa...
Keywords:
Status: NEW
Alias: CVE-2025-11143
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-05 10:01 UTC by OSIDB Bzimport
Modified: 2026-03-05 12:01 UTC (History)
87 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-05 10:01:19 UTC 
The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.
Note You need to log in before you can comment on or make changes to this bug.