Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable with no authentication; integrity impact limited to application path confusion, no confidentiality or availability impact since Jetty's alias checker blocks direct file serving.
Primary rating from Vendor (eclipse).
CVSS VectorVendor: eclipse
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
In Eclipse Jetty, an HTTP URI of this form:
/public;/../admin/secret.txt
results in an unresolved path of:
/public/../admin/secret.txt
instead of the expected:
/admin/secret.txt
Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).
However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.
AnalysisAI
Eclipse Jetty mishandles HTTP URI path parameters containing semicolons combined with traversal sequences, delivering an unresolved path (e.g., /public/../admin/secret.txt) to downstream web applications instead of the canonicalized form (e.g., /admin/secret.txt). Web applications that delegate path-based authorization decisions to Jetty-provided paths are susceptible to confusion attacks where an attacker crafts a URI like /public;/../admin/secret.txt to receive a path that bypasses application-layer access controls. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concurrent conditions: first, the target web application must be hosted on Eclipse Jetty (any version per current CPE data); second, and critically, the application's own authorization or routing logic must use the path string supplied by Jetty (e.g., via `HttpServletRequest.getPathInfo()` or `getServletPath()`) without independently normalizing or canonicalizing it prior to making access control decisions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N reflects a network-reachable, low-complexity, unauthenticated attack with limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends an HTTP GET request to a Jetty-hosted application with a crafted URI such as `GET /public;/../admin/secret.txt HTTP/1.1`. Jetty's alias checker prevents it from serving the file directly, but the application's authorization middleware receives the unresolved path `/public/../admin/secret.txt`, evaluates it against the `/public/` access rule (matching the leading segment), and incorrectly grants access - responding with the contents of `admin/secret.txt`. … |
| Remediation | No vendor-released patch version is independently confirmed from the available data; the only reference is the Eclipse GitLab work item at https://gitlab.eclipse.org/security/cve-assignment/-/work_items/108, which should be monitored for patch release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Eclipse Jetty
View allHTTP request smuggling in Eclipse Jetty's HTTP/1.1 parser lets remote unauthenticated attackers desynchronize front-end/
Privilege escalation in Eclipse Jetty 9.4.0-12.1.7 allows unauthenticated remote attackers to bypass authentication via
HTTP/1.1 trailer leakage in Eclipse Jetty allows a remote unauthenticated attacker to read trailer headers from a previo
Eclipse Jetty fails to enforce RFC 9110/9112's requirement that the HTTP request authority (host and port) match the val
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43647