Impacted Versions
- Confluent Platform version 8.0.0
- Confluent Cloud managed clusters
Recommended Action
- Confluent Platform: Please upgrade to CP versions: 8.0.1
- Confluent Cloud: Managed Confluent Cloud clusters were identified to be vulnerable to this issue. However, all managed clusters have been upgraded. Please note that no security impact was observed for the impacted clusters. No further action is necessary at this time.
Issue
A security issue was identified to impact both Confluent Platform and Confluent Cloud managed clusters due to the reliance on vulnerable dependency Jetty-http2-common version 12.0.16 that is affected by CVE-2025-1948.
This vulnerability is due to the way the server logic handles HTTP/2 settings parameters. A malicious client can provide an invalid value to SETTINS_MAX_HEADER_LIST_SIZE parameter in order to allocate large amounts of memory creating resource exhaustion on the server handling the request.
Remediation
- Confluent Cloud: This issue has already been resolved in Confluent Cloud and no further action is necessary.
- Confluent Platform: This issue is resolved in the CP patch release versions 8.0.1. These fixes adequately address this issue by updating the vulnerable library jetty-http2-common to version 12.0.25 that effectively mitigates this vulnerability.
Original CVSS Score:
7.5
Adjusted CVSS Score:
6.5