Login Sign Up

CVE-2024-8184

5.9 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in Jetty's ThreadLimitHandler.getRemote() allows unauthenticated attackers to send crafted requests that trigger OutOfMemory errors, causing denial-of-service by exhausting server memory. Any system running vulnerable Jetty versions with ThreadLimitHandler enabled is affected.

💻 Affected Systems

Products:
  • Eclipse Jetty
Versions: Jetty 9.4.0 through 9.4.55, 10.0.0 through 10.0.21, 11.0.0 through 11.0.21
Operating Systems: All platforms running Java
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when ThreadLimitHandler is explicitly configured and enabled.

📦 What is this software?

Jetty by Eclipse

View all CVEs affecting Jetty →

Jetty by Eclipse

View all CVEs affecting Jetty →

Jetty by Eclipse

View all CVEs affecting Jetty →

Jetty by Eclipse

View all CVEs affecting Jetty →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server unavailability due to memory exhaustion, requiring restart and potentially causing extended downtime.

🟠

Likely Case

Intermittent service degradation or crashes under attack, affecting application availability.

🟢

If Mitigated

Minimal impact with proper memory limits and monitoring in place.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes internet-facing servers prime targets.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit, but attack surface is smaller.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple crafted request pattern can trigger the issue without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jetty 9.4.56, 10.0.22, 11.0.22

Vendor Advisory: https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq

Restart Required: Yes

Instructions:

1. Download patched Jetty version from official repository. 2. Replace vulnerable Jetty JAR files. 3. Restart Jetty server. 4. Verify version with java -jar jetty-home-*.jar --version.

🔧 Temporary Workarounds

Disable ThreadLimitHandler

all

Remove or disable ThreadLimitHandler configuration if not required.

Edit jetty.xml or configuration files to remove ThreadLimitHandler references

Implement request rate limiting

linux

Use reverse proxy or WAF to limit request rates per IP.

# Example nginx rate limiting:
limit_req_zone $binary_remote_addr zone=jetty:10m rate=10r/s;
limit_req zone=jetty burst=20 nodelay;

🧯 If You Can't Patch

  • Implement strict network segmentation to limit access to Jetty servers
  • Deploy WAF with rate limiting and anomaly detection for HTTP requests

🔍 How to Verify

Check if Vulnerable:

Check Jetty version and ThreadLimitHandler configuration in jetty.xml or startup logs.

Check Version:

java -jar jetty-home-*.jar --version

Verify Fix Applied:

Verify Jetty version is 9.4.56+, 10.0.22+, or 11.0.22+ and monitor for OutOfMemory errors.

📡 Detection & Monitoring

Log Indicators:

  • java.lang.OutOfMemoryError in logs
  • High memory usage alerts
  • ThreadLimitHandler exceptions

Network Indicators:

  • Unusual high volume of HTTP requests to Jetty endpoints
  • Repeated similar request patterns

SIEM Query:

source="jetty.log" AND ("OutOfMemoryError" OR "java.lang.OutOfMemory")

📊 Metadata

CVE ID: CVE-2024-8184
CVSS v3 Score: 5.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: October 14, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8184, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)