CVE-2025-11143: URI Parsing Differential in Eclipse Jetty

CVE-2025-11143 is an Improper Input Validation vulnerability (CWE-20) manifesting as a parser differential in the Eclipse Jetty server. The core issue lies in how the HttpURI class processes Uniform Resource Identifiers (URIs), specifically in its handling of the Authority component and delimiter precedence.

In modern web architectures, requests often pass through multiple layers (WAFs, reverse proxies, load balancers) before reaching the application server. Security depends on all layers interpreting the URI effectively the same way. When the backend server (Jetty) interprets a URI differently than the frontend security layer, it creates a desynchronization window. An attacker can construct a payload that appears benign to the frontend but is interpreted as malicious or targeting a different resource by Jetty.

While the CVSS score is Low (3.7) due to the complexity required to exploit it (dependence on specific upstream configurations), the technical implications are significant. It breaks the trust boundary between the network edge and the application container, effectively rendering upstream Access Control Lists (ACLs) based on hostnames or paths unreliable.

The vulnerability stems from a logic error in the state machine implementation of HttpURI. According to RFC 3986, the Authority component of a URI (which contains the host and userinfo) is terminated by the first occurrence of a path delimiter (/), query delimiter (?), or fragment delimiter (#).

Jetty's parser failed to strictly enforce this termination logic. Specifically, the parser continued to scan for the userinfo delimiter (@) even after encountering a fragment (#) or query (?) character. This created a priority inversion where Jetty would interpret characters after a fragment as part of the Authority (userinfo), whereas standard-compliant parsers would treat them as part of the fragment or query string.

Additionally, the parser exhibited permissive validation for URI schemes. It accepted non-standard characters (such as >) within the scheme definition, allowing malformed URIs like https>:// to be processed. This lack of strict validation further widened the gap between Jetty's interpretation and that of strictly compliant upstream parsers.

The fix for this issue involves tightening the state machine in HttpURI.java and introducing strict validation utilities in URIUtil.java. The vulnerability existed because the loop parsing the Authority section did not break immediately upon seeing a fragment or query start.

Below is a conceptual representation of the vulnerable logic versus the patched logic:

// VULNERABLE LOGIC (Conceptual)
// The parser scans for '@' to identify userinfo, potentially ignoring preceding '#' or '?'
for (int i = start; i < end; i++) {
    char c = uri.charAt(i);
    if (c == '@') {
        // Jetty incorrectly assumes everything before this is userinfo,
        // even if we already passed a '#' character.
        hasUserInfo = true;
        hostStart = i + 1;
    }
}

The patch enforces strict termination of the authority parsing state. When a delimiter is found, the authority boundaries are frozen:

// PATCHED LOGIC (Conceptual)
// Commit: 28d9af2a2a3346d7edd35e3b6372a68c5a3be4a5
 
// New validation ensures the scheme only contains valid chars
URIUtil.validateScheme(scheme);
 
// During parsing, if we hit a path, query, or fragment start,
// we MUST stop treating characters as part of the Authority.
if (c == '/' || c == '?' || c == '#') {
    // Authority parsing ends here. 
    // The '@' symbol cannot appear after this point.
    break;
}

Furthermore, the patch introduces URIUtil.validateInetAddress to harden IPv6 literal parsing, ensuring that bracketed addresses [...] are handled with strict adherence to format specifications, rejecting ambiguous constructs that could confuse the host parser.

The primary attack vector leverages the parser differential to bypass blocklists or routing rules. Consider a setup where a WAF blocks requests to evil.com but allows normal.com. An attacker creates the following URI:

http://normal.com/#@evil.com/

1. Upstream Parser (WAF):

• Reads Scheme: http
• Reads Authority: normal.com
• Reads Fragment: #@evil.com/
• Verdict: Allowed. The host normal.com is trusted.

2. Vulnerable Jetty Parser:

• Reads Scheme: http
• Scans for @: Found at index 18.
• Interprets normal.com/# as UserInfo.
• Interprets evil.com as the Host.
• Verdict: The request is processed within the virtual host context of evil.com.

This behavior allows the attacker to access internal virtual hosts or bypass host-header validation checks implemented at the proxy level. The diagram below illustrates this flow:

The impact of CVE-2025-11143 is primarily localized to Integrity and Security Control Bypass. While it does not inherently provide Remote Code Execution (RCE), it degrades the reliability of security boundaries.

• Access Control Bypass: Attackers can reach administrative endpoints or internal virtual hosts that should be unreachable from the public internet.
• Cache Poisoning: If the upstream cache keys the response based on normal.com but Jetty serves content from evil.com, valid users requesting normal.com might receive the malicious content cached from the attacker's request.
• SSRF Facilitation: If the application logic uses the parsed URI to make further outbound requests, the host confusion can redirect these requests to unintended destinations.

The CVSS score remains Low (3.7) because the attack complexity is High (AC:H). The vulnerability is latent; it requires a specific upstream architecture (reverse proxy + Jetty) where the upstream parser is RFC-compliant (or strict) and Jetty is loose, causing the divergence.