CVE-2026-1605 - Vulnerability Details - OpenCVE

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f

History

Thu, 05 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
Weaknesses		CWE-400 CWE-401
References		https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2026-03-05T09:39:01.315Z

Updated: 2026-03-05T09:39:01.315Z

Reserved: 2026-01-29T10:58:31.963Z

Link: CVE-2026-1605

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-05T10:15:56.890

Modified: 2026-03-05T10:15:56.890

Link: CVE-2026-1605

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1605", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2026-01-29T10:58:31.963Z", "datePublished": "2026-03-05T09:39:01.315Z", "dateUpdated": "2026-03-05T09:39:01.315Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Eclipse Jetty", "repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "12.0.31", "status": "affected", "version": "12.0.0", "versionType": "semver"}, {"lessThanOrEqual": "12.1.5", "status": "affected", "version": "12.1.0.", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Gleb Sizov (@glebashnik)"}, {"lang": "en", "type": "finder", "value": "Bj\u00f8rn Christian Seime (@bjorncs)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class <code>GzipHandler</code> exposes a vulnerability when a compressed HTTP request, with <code>Content-Encoding: gzip</code>, is processed and the corresponding response is not compressed.</p>\n<p>This happens because the JDK <code>Inflater</code> is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.\nIn this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.</p>"}], "value": "In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.\n\n\nThis happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.\nIn this case, since the response is not compressed, the release mechanism does not trigger, causing the leak."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2026-03-05T09:39:01.315Z"}, "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}}}