(kafka) branch trunk updated: KAFKA-20168 Upgrade Jetty from 12.0.22 to 12.0.32 to fix CVE-2025-5115 (#21452)

Thu, 12 Feb 2026 11:52:44 -0800 

This is an automated email from the ASF dual-hosted git repository.

chia7712 pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 24b243cc30e KAFKA-20168 Upgrade Jetty from 12.0.22 to 12.0.32 to fix 
CVE-2025-5115 (#21452)
24b243cc30e is described below

commit 24b243cc30e31fa6581c199ab219975e7182e310
Author: Ming-Yen Chung <[email protected]>
AuthorDate: Fri Feb 13 03:52:15 2026 +0800

    KAFKA-20168 Upgrade Jetty from 12.0.22 to 12.0.32 to fix CVE-2025-5115 
(#21452)
    
    Upgrade Jetty from 12.0.22 to 12.0.32 to address
    
    
https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
    (MadeYouReset HTTP/2 DoS, CVSS 7.7 HIGH).
    
      Note that CVE-2025-5115 only affects the
    `org.eclipse.jetty.http2:jetty-http2-common` module. Kafka does not
    depend on this module — its embedded Jetty servers (Connect RestServer
    and Trogdor JsonRestServer) only use HTTP/1.1 via `ServerConnector`
    without any                     `HTTP2ServerConnectionFactory`
    configuration. As such, the attack vector is not applicable. This
    upgrade from 12.0.22 to 12.0.32 is to keep the dependency up to date.
    
    4.0: https://github.com/apache/kafka/pull/21462
    4.1: https://github.com/apache/kafka/pull/21461
    
    Reviewers: Chia-Ping Tsai <[email protected]>
---
 LICENSE-binary             | 20 ++++++++++----------
 gradle/dependencies.gradle |  2 +-
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index 5b50617ab5c..b631a420646 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -225,16 +225,16 @@ License Version 2.0:
 - jakarta.inject-api-2.0.1
 - jakarta.validation-api-3.0.2
 - javassist-3.30.2-GA
-- jetty-alpn-client-12.0.22
-- jetty-client-12.0.22
-- jetty-ee10-servlet-12.0.22
-- jetty-ee10-servlets-12.0.22
-- jetty-http-12.0.22
-- jetty-io-12.0.22
-- jetty-security-12.0.22
-- jetty-server-12.0.22
-- jetty-session-12.0.22
-- jetty-util-12.0.22
+- jetty-alpn-client-12.0.32
+- jetty-client-12.0.32
+- jetty-ee10-servlet-12.0.32
+- jetty-ee10-servlets-12.0.32
+- jetty-http-12.0.32
+- jetty-io-12.0.32
+- jetty-security-12.0.32
+- jetty-server-12.0.32
+- jetty-session-12.0.32
+- jetty-util-12.0.32
 - jose4j-0.9.6
 - jspecify-1.0.0
 - log4j-api-2.25.3
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 5a1f5701d76..1863165d485 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -66,7 +66,7 @@ versions += [
   jacksonAnnotations: "2.20",
   jacoco: "0.8.14",
   javassist: "3.30.2-GA",
-  jetty: "12.0.22",
+  jetty: "12.0.32",
   jersey: "3.1.10",
   jline: "3.30.4",
   jmh: "1.37",

Reply via email to