The Jetty project [1] has announced two security issues classified as "high": a memory exhaustion issue with crafted HTTP/2 requests (12.x series, fixed in 12.0.17) as CVE-2025-1948, and a cross-request data corruption issue with potential information leakage when gzip compression is enabled (9.4.x, fixed in 9.4.57, security patch to an otherwise EoL release) as CVE-2024-13009.
CVE-2025-1948 details: <https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8> CVE-2024-13009 details: <https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5> [1] Description from project README: "Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine. Jetty's goal is to support web protocols (HTTP/1, HTTP/2, HTTP/3, WebSocket, etc.) in a high volume low latency way that provides maximum performance while retaining the ease of use and compatibility with years of Servlet development."
