Hello Team, We are seeing a high severity vulnerability CVE-2025-1948 under category CWE-400 (Uncontrolled Resource Consumption) because of org eclipse.jetty.http2:http2-common 10.0.22 coming from solr-solrj 9.8.0 in the Software Composition Analysis Scan. Please let us know if it affects Solr 9.8.0 and the plans/timelines for the remediation of this vulnerability.
CVE-2025-1948 | Category CWE-400 | Uncontrolled Resource Consumption In Eclipse Jetty, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter "SETTINGSMAXHEADERLISTSIZE". The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a Byte Buffer of the specified capacity to encode HTTP responses, likely resulting in an Out of Memory Error being thrown, or even the JVM process exiting. This vulnerability affects 12.0.0.alpha0 through 12.0.16 and 12.1.0.alpha0 through 12.1.0.alpha1, and org.eclipse.jetty.http2:http2-common package versions 9.3.12.v20160915 through 9.3.30.v20211001, and 9.4.0.M1 through 11.0.25. Thanks & Regards, Vanishree Rao
