CVE-2026-1605

High CVSS: 7.5

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.

This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.
In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.

Vendor

Eclipse

Product

Jetty

CWE

CWE-400

Yayın Tarihi

2026-03-05 10:15:56

Güncelleme

2026-03-06 20:16:49

Source Identifier

emo@eclipse.org

KEV Date Added

Kategoriler

CWE-400 Jetty HIGH Eclipse 2026

Referanslar

https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f

Benzer Kayıtlar

Critical

CVE-2026-24457

An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server.…

Low

CVE-2025-11143

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Different…

Critical

CVE-2026-1699

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_tar…

Medium

CVE-2026-1188

In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all suppor…

High

CVE-2026-0648

The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_…

High

CVE-2025-55102

A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A special…