Hello Team, I see this question is not answered yet. I am also looking for a recommended solution for this issue. Does anyone know how we can fix/mitigate this vulnerability in Solr 9.9.0. Solr 9.9.0 contains http2-common-10.0.22.jar which is also affected. Any pointer/information about mitigation would be helpful.
-- Vijay On Wed, Aug 27, 2025 at 12:40 AM Rao, Vanishree <[email protected]> wrote: > Hello Team, > > We are seeing a high severity vulnerability CVE-2025-5115 > <https://ast.checkmarx.net/vulnerabilities/CVE-2025-5115%3AMaven-org.eclipse.jetty.http2%3Ahttp2-common-10.0.22/vulnerabilityDetailsGql> > under > category CWE-400 (Uncontrolled Resource Consumption) because of org > eclipse.jetty.http2:http2-common 10.0.22 coming from solr-solrj 9.8.0 in > the Software Composition Analysis Scan. > > Please let us know if it affects Solr 9.8.0 and the plans/timelines for > the remediation of this vulnerability. > > *CVE-2025-5115 | Category CWE-400 | Uncontrolled Resource Consumption* > In Eclipse Jetty, an HTTP/2 client may trigger the server to send > "RST_STREAM" frames, for example, by sending frames that are malformed or > that should not be sent in a particular stream state, therefore forcing the > server to consume resources such as CPU and memory. > For example, a client can open a stream and then send "WINDOW*UPDATE" > frames with a window size increment of 0, which is illegal. Per > specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window > <https://www.rfc-editor.org/rfc/rfc9113.html#name-window>*update , the > server should send a "RST*STREAM" frame. The client can then open another > stream and send another invalid "WINDOW*UPDATE" frame, causing the server > to again consume unnecessary resources. This behavior does not exceed the > maximum number of concurrent streams, yet the client is able to create an > enormous number of streams in a short period of time. The attack can also > be carried out under other conditions, for example, by sending a "DATA" > frame for a closed stream, that cause the server to send a "RST_STREAM" > frame. This issue affects org.eclipse.jetty.http2:jetty-http2-common > package 12.0.x prior to 12.0.25, and 12.1.x prior to 12.1.0.beta2 and > org.eclipse.jetty.http2:http2-common versions 9.3.0M0 through 9.4.57, > 10.0.0-alpha0 through 10.0.25, 11.0.0-alpha0 through 11.0.25. > > Thanks & Regards, > > *Vanishree Rao* > > *(Vaa-nee Shree Ra-ao)* > > Sr. Developer, Application Development > > *[email protected] <[email protected]>* > > *M:* +91 8097034710 > > Pronouns: She/Her > > [image: TULogo-blue-rgb-120px-01] > > > > This email including, without limitation, the attachments, if any, > accompanying this email, may contain information which is confidential or > privileged and exempt from disclosure under applicable law. > > The information is for the use of the intended recipient. If you are not > the intended recipient, be aware that any disclosure, copying, > distribution, review or use of the contents of this email, and/or its > attachments, is without authorization and is prohibited. If you have > received this email in error, please notify us by reply email immediately > and destroy all copies of this email and its attachments. > > > -- -- Vijay
