Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable without authentication and no special conditions required; impact limited to partial integrity via redirect or routing manipulation, with no confidentiality or availability consequence.
Primary rating from Vendor (eclipse).
CVSS VectorVendor: eclipse
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present).
This was not enforced in earlier HTTP RFC (for example, in RFC 2616), but it is in the latest RFC (9110 and 9112).
This mismatch can cause a number of problems that may be classified as vulnerabilities such as:
*
URI constructions (for example, for redirects -- this is typical for login pages)
*
Virtual host selection
*
Reverse proxying
*
Misleading logs
*
Etc.
Given that the latest RFCs require that request authority and Host header must match, Jetty should enforce this invariant.
AnalysisAI
Eclipse Jetty fails to enforce RFC 9110/9112's requirement that the HTTP request authority (host and port) match the value in the Host header across all supported protocol versions - HTTP/1, HTTP/2, and HTTP/3. Unauthenticated network attackers can exploit this input validation gap to manipulate Host-header-derived URI constructions (particularly redirect targets on login pages), influence virtual host selection, corrupt reverse proxy routing decisions, and produce misleading access logs. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required (PR:N per CVSS vector) and no user interaction is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately reflects the low attack complexity and unauthenticated network reachability, while correctly limiting impact to partial integrity - no confidentiality or availability consequences are expected. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends an HTTP/1.1 request to a Jetty-hosted login page with a request line specifying the legitimate server's authority but a Host header value pointing to an attacker-controlled domain. Jetty, without enforcing authority-Host consistency, processes the request and constructs a post-authentication redirect URI derived from the manipulated Host header, redirecting the authenticated user's browser to the attacker's domain - enabling credential harvesting or session token theft. … |
| Remediation | Monitor the Eclipse Foundation's security tracker at https://gitlab.eclipse.org/security/cve-assignment/-/work_items/99 and upgrade to the patched Jetty release once announced; no specific fix version has been confirmed in the available data, so a release version cannot be cited here. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Eclipse Jetty
View allHTTP request smuggling in Eclipse Jetty's HTTP/1.1 parser lets remote unauthenticated attackers desynchronize front-end/
Privilege escalation in Eclipse Jetty 9.4.0-12.1.7 allows unauthenticated remote attackers to bypass authentication via
HTTP/1.1 trailer leakage in Eclipse Jetty allows a remote unauthenticated attacker to read trailer headers from a previo
Eclipse Jetty mishandles HTTP URI path parameters containing semicolons combined with traversal sequences, delivering an
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43646