CVE-2024-13009 – This vulnerability in Eclipse Jetty allows inco... (How to Fix)

Q: What is the severity of CVE-2024-13009?

CVE-2024-13009 has a CVSS score of 7.2 (HIGH). This vulnerability in Eclipse Jetty allows incorrect buffer release during gzip decompression errors, potentially leading to data corruption or unintended data sharing between HTTP requests. It affects Jetty servers handling gzip-compressed request bodies, potentially exposing sensitive information across user sessions.

📋 TL;DR

This vulnerability in Eclipse Jetty allows incorrect buffer release during gzip decompression errors, potentially leading to data corruption or unintended data sharing between HTTP requests. It affects Jetty servers handling gzip-compressed request bodies, potentially exposing sensitive information across user sessions.

💻 Affected Systems

Products:

Eclipse Jetty

Versions: 9.4.0 through 9.4.56

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects servers processing gzip-compressed request bodies; standard HTTP requests are not vulnerable.

📦 What is this software?

Jetty by Eclipse

View all CVEs affecting Jetty →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive data from one user's request could be exposed to another user's response, leading to information disclosure or session hijacking.

🟠

Likely Case

Data corruption in responses or intermittent information leakage between concurrent requests.

🟢

If Mitigated

Limited impact with proper network segmentation and request isolation, though data integrity issues may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending malformed gzip-compressed requests to trigger the buffer release error.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.4.57 or later

Vendor Advisory: https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5

Restart Required: Yes

Instructions:

1. Upgrade Jetty to version 9.4.57 or later. 2. Replace existing Jetty JAR files with patched versions. 3. Restart the Jetty server.

🔧 Temporary Workarounds

Disable gzip request decompression

all

Prevent Jetty from decompressing gzip-compressed request bodies

Configure Jetty's GzipHandler to not decompress request bodies or remove GzipHandler entirely

🧯 If You Can't Patch

Implement network-level filtering to block or sanitize gzip-compressed requests
Deploy WAF rules to detect and block malformed gzip payloads

🔍 How to Verify

Check if Vulnerable:

Check Jetty version: if between 9.4.0-9.4.56 and gzip request handling is enabled, system is vulnerable.

Check Version:

java -jar jetty-home-*.jar --version or check server startup logs

Verify Fix Applied:

Verify Jetty version is 9.4.57 or later and test with malformed gzip requests to ensure proper error handling.

📡 Detection & Monitoring

Log Indicators:

Multiple gzip decompression errors in logs
Unexpected buffer release warnings
Corrupted response data in access logs

Network Indicators:

Malformed gzip headers in HTTP requests
Unusual patterns of gzip-compressed requests

SIEM Query:

source="jetty.logs" AND ("gzip error" OR "buffer release" OR "InflaterInputStream")

📊 Metadata

CVE ID: CVE-2024-13009

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-404

EPSS Score: 0.17% exploit probability (38.6th percentile)

Published: May 8, 2025

Last Updated: July 31, 2025

🔗 References

https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5 Vendor Advisory
https://gitlab.eclipse.org/security/cve-assignement/-/issues/48 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13009, you might also want to check these: