CVE-2026-1605
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
| CWE | CWE-400 CWE-401 |
| Vendor | eclipse foundation |
| Product | eclipse jetty |
| Published | Mar 5, 2026 |
| Last Updated | Mar 5, 2026 |
Stay Ahead of the Next One
Get instant alerts for eclipse foundation eclipse jetty
Be the first to know when new high vulnerabilities affecting eclipse foundation eclipse jetty are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
Eclipse Foundation / Eclipse Jetty
12.0.0 β€ 12.0.31 12.1.0. β€ 12.1.5
References
Credits
Gleb Sizov (@glebashnik) BjΓΈrn Christian Seime (@bjorncs)