Hello Team, We are seeing a high severity vulnerability CVE-2025-5115<https://ast.checkmarx.net/vulnerabilities/CVE-2025-5115%3AMaven-org.eclipse.jetty.http2%3Ahttp2-common-10.0.22/vulnerabilityDetailsGql> under category CWE-400 (Uncontrolled Resource Consumption) because of org eclipse.jetty.http2:http2-common 10.0.22 coming from solr-solrj 9.8.0 in the Software Composition Analysis Scan.
Please let us know if it affects Solr 9.8.0 and the plans/timelines for the remediation of this vulnerability. CVE-2025-5115 | Category CWE-400 | Uncontrolled Resource Consumption In Eclipse Jetty, an HTTP/2 client may trigger the server to send "RST_STREAM" frames, for example, by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a stream and then send "WINDOWUPDATE" frames with a window size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-windowupdate , the server should send a "RSTSTREAM" frame. The client can then open another stream and send another invalid "WINDOWUPDATE" frame, causing the server to again consume unnecessary resources. This behavior does not exceed the maximum number of concurrent streams, yet the client is able to create an enormous number of streams in a short period of time. The attack can also be carried out under other conditions, for example, by sending a "DATA" frame for a closed stream, that cause the server to send a "RST_STREAM" frame. This issue affects org.eclipse.jetty.http2:jetty-http2-common package 12.0.x prior to 12.0.25, and 12.1.x prior to 12.1.0.beta2 and org.eclipse.jetty.http2:http2-common versions 9.3.0M0 through 9.4.57, 10.0.0-alpha0 through 10.0.25, 11.0.0-alpha0 through 11.0.25. Thanks & Regards, Vanishree Rao (Vaa-nee Shree Ra-ao) Sr. Developer, Application Development vanishree....@transunion.com<mailto:vanishree....@transunion.com> M: +91 8097034710 Pronouns: She/Her [TULogo-blue-rgb-120px-01] This email including, without limitation, the attachments, if any, accompanying this email, may contain information which is confidential or privileged and exempt from disclosure under applicable law. The information is for the use of the intended recipient. If you are not the intended recipient, be aware that any disclosure, copying, distribution, review or use of the contents of this email, and/or its attachments, is without authorization and is prohibited. If you have received this email in error, please notify us by reply email immediately and destroy all copies of this email and its attachments.
