KAFKA-20168: Upgrade Jetty from 12.0.22 to 12.0.32 to fix CVE-2025-5115 (4.1)#21461
Merged
chia7712 merged 2 commits intoapache:4.1from Feb 12, 2026
Merged
Conversation
Upgrade Jetty to address the MadeYouReset HTTP/2 DoS vulnerability (CVE-2025-5115, CVSS 7.7 HIGH). While Kafka Connect and Trogdor only use HTTP/1.1, upgrading eliminates the vulnerable dependency and includes additional bug fixes and stability improvements.
This was referenced Feb 12, 2026
viktorsomogyi
added a commit
that referenced
this pull request
Feb 12, 2026
… (4.0) (#21462) Upgrade Jetty from 12.0.22 to 12.0.32 to address [GHSA-mmxm-8w33-wc4h](GHSA-mmxm-8w33-wc4h) (MadeYouReset HTTP/2 DoS, CVSS 7.7 HIGH). Note that GHSA-mmxm-8w33-wc4h only affects the org.eclipse.jetty.http2:jetty-http2-common module. Kafka does not depend on this module — its embedded Jetty servers (Connect RestServer and Trogdor JsonRestServer) only use HTTP/1.1 via ServerConnector without any HTTP2ServerConnectionFactory configuration. As such, the attack vector is not applicable. This upgrade from 12.0.22 to 12.0.32 is to keep the dependency up to date. 4.1: #21461 trunk: #21452 Reviewers: Viktor Somogyi-Vass <viktorsomogyi@gmail.com> --------- Co-authored-by: Viktor Somogyi-Vass <viktorsomogyi@gmail.com>
chia7712
approved these changes
Feb 12, 2026
chia7712
pushed a commit
that referenced
this pull request
Feb 12, 2026
#21452) Upgrade Jetty from 12.0.22 to 12.0.32 to address GHSA-mmxm-8w33-wc4h (MadeYouReset HTTP/2 DoS, CVSS 7.7 HIGH). Note that CVE-2025-5115 only affects the `org.eclipse.jetty.http2:jetty-http2-common` module. Kafka does not depend on this module — its embedded Jetty servers (Connect RestServer and Trogdor JsonRestServer) only use HTTP/1.1 via `ServerConnector` without any `HTTP2ServerConnectionFactory` configuration. As such, the attack vector is not applicable. This upgrade from 12.0.22 to 12.0.32 is to keep the dependency up to date. 4.0: #21462 4.1: #21461 Reviewers: Chia-Ping Tsai <chia7712@gmail.com>
mingyen066
deleted the
KAFKA-20168-Upgrade-jetty-to-fix-CVE-2025-5115-4.1
branch
chia7712
pushed a commit
that referenced
this pull request
Feb 18, 2026
#21452) Upgrade Jetty from 12.0.22 to 12.0.32 to address GHSA-mmxm-8w33-wc4h (MadeYouReset HTTP/2 DoS, CVSS 7.7 HIGH). Note that CVE-2025-5115 only affects the `org.eclipse.jetty.http2:jetty-http2-common` module. Kafka does not depend on this module — its embedded Jetty servers (Connect RestServer and Trogdor JsonRestServer) only use HTTP/1.1 via `ServerConnector` without any `HTTP2ServerConnectionFactory` configuration. As such, the attack vector is not applicable. This upgrade from 12.0.22 to 12.0.32 is to keep the dependency up to date. 4.0: #21462 4.1: #21461 Reviewers: Chia-Ping Tsai <chia7712@gmail.com>
chia7712
pushed a commit
that referenced
this pull request
Feb 18, 2026
…21505) Upgrade Jetty from 9.4.57.v20241219 to 9.4.58.v20250814 to address [CVE-2025-5115](GHSA-mmxm-8w33-wc4h) (MadeYouReset HTTP/2 DoS, CVSS 7.7 HIGH). Note that CVE-2025-5115 only affects the `jetty-http2-common` module. Kafka does not depend on this module — its embedded Jetty servers (Connect RestServer and Trogdor JsonRestServer) only use HTTP/1.1 via `ServerConnector` without any `HTTP2ServerConnectionFactory` configuration. As such, the attack vector is not applicable. This upgrade is to keep the dependency up to date. trunk: #21452 4.0: #21462 4.1: #21461 Reviewers: Chia-Ping Tsai <chia7712@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrade Jetty from 12.0.22 to 12.0.32 to address
GHSA-mmxm-8w33-wc4h
(MadeYouReset HTTP/2 DoS, CVSS 7.7 HIGH).
Note that GHSA-mmxm-8w33-wc4h only affects
the org.eclipse.jetty.http2:jetty-http2-common module. Kafka does not
depend on this module — its embedded Jetty servers (Connect RestServer
and Trogdor JsonRestServer) only use HTTP/1.1 via ServerConnector
without any HTTP2ServerConnectionFactory configuration. As such, the
attack vector is not applicable. This upgrade from 12.0.22 to 12.0.32 is
to keep the dependency up to date.
4.0: #21462
trunk: #21452
Reviewers: Chia-Ping Tsai chia7712@gmail.com