CVE-2025-11143

CVSS 3.7 LOWEPSS 0.2%CWE-20

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 3.7EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

05 Mar 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected products

Eclipse Foundation · Eclipse Jetty

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh