CVE-2026-1605

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:eclipse:jetty::::::::
	cpe:2.3:a:eclipse:jetty::::::::

History

No history.

Information

Published : 2026-03-05 10:15

Updated : 2026-03-06 20:16

NVD link : CVE-2026-1605

Mitre link : CVE-2026-1605

CVE.ORG link : CVE-2026-1605

JSON object : View

Products Affected

eclipse

jetty

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-401

Missing Release of Memory after Effective Lifetime

{"id": "CVE-2026-1605", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "emo@eclipse.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-05T10:15:56.890", "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f", "tags": ["Vendor Advisory"], "source": "emo@eclipse.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "emo@eclipse.org", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-401"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.\n\n\nThis happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.\nIn this case, since the response is not compressed, the release mechanism does not trigger, causing the leak."}, {"lang": "es", "value": "En Eclipse Jetty, versiones 12.0.0-12.0.31 y 12.1.0-12.0.5, la clase GzipHandler expone una vulnerabilidad cuando una solicitud HTTP comprimida, con Content-Encoding: gzip, es procesada y la respuesta correspondiente no est\u00e1 comprimida.\n\nEsto ocurre porque el Inflater del JDK es asignado para descomprimir la solicitud, pero no es liberado porque el mecanismo de liberaci\u00f3n est\u00e1 ligado a la respuesta comprimida.\nEn este caso, dado que la respuesta no est\u00e1 comprimida, el mecanismo de liberaci\u00f3n no se activa, causando la fuga."}], "lastModified": "2026-03-06T20:16:49.153", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5773AE1D-15DA-44B0-BB9D-A8D9F3C29D21", "versionEndExcluding": "12.0.32", "versionStartIncluding": "12.0.0"}, {"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74198EA2-3D92-4676-A49F-59DCCB4DEB04", "versionEndExcluding": "12.1.6", "versionStartIncluding": "12.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "emo@eclipse.org"}