Jetty patch released after high-severity CVE-2026-1605 exposes GzipHandler leak

Eclipse Jetty’s maintainers pushed a remedial release identified as version 12.0.32 after security trackers published CVE‑2026‑1605 on March 5, 2026, a high‑severity flaw (CVSS 7.5) in the server’s GzipHandler. NVD and multiple security‑tracking services listed the vulnerability the same day, and scanner metadata ties the advisory to GHSA‑xxh7‑fcf3‑rj7f. The vulnerability’s public disclosures and automated scans place the publish date as 2026‑03‑05 and a specific aggregator shows “Published on: 05 Mar 2026, 10:15 UTC.”

Technical disclosures and scanner output make clear that the fault is a resource‑leak tied to request decompression. The published description states in full: “In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content‑Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.” The explicit CVSS vector provided by an aggregator is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network‑accessible, low‑complexity flaw whose principal impact is availability (A:H), consistent with denial‑of‑service or resource exhaustion risk.

Automated repository scanning flagged the issue in concrete artifacts. Mend/Bolt reported “CVE‑2026‑1605 (High) detected in jetty‑server‑12.0.25.jar #7621,” noting the vulnerable dependency in a set of hapi‑fhir project POM files including /hapi‑fhir‑cli/hapi‑fhir‑cli‑app/pom.xml, /hapi‑fhir‑jpaserver‑test‑utilities/pom.xml, /hapi‑fhir‑test‑utilities/pom.xml, /hapi‑fhir‑jpaserver‑elastic‑test‑utilities/pom.xml, /hapi‑fhir‑docs/pom.xml, /hapi‑fhir‑storage‑test‑utilities/pom.xml, /tests/hapi‑fhir‑base‑test‑jaxrsserver‑kotlin/pom.xml and /hapi‑fhir‑storage‑batch2‑test‑utilities/pom.xml. The scanner captured the dependency in base branch master and referenced HEAD commit b59f2d05a7d0fd10c7b03bb6f0ebf97757172a71.

Some trackers apply urgent language to the finding: one vulnerability analysis section labels the flaw “Very High Risk” and states “Highly exploitable, CVE‑2026‑1605 poses a critical security risk that could lead to severe breaches.” That editorial phrasing is present in the aggregated material but differs from the technical vector, which indicates availability impact only; reporters and operators should attribute the stronger language to the tracker and verify the practical risk with the Jetty project and NVD before inferring confidentiality or integrity consequences.

Version‑range reporting in the public material is mostly consistent with the 12.0.0-12.0.31 window, but one source contains the logically inconsistent string “12.1.0-12.0.5.” Journalists and operators should treat that as a typographical error pending confirmation from Jetty’s official advisory or changelog to determine whether a 12.1.x branch also requires a backport.

Immediate remediation in the public metadata is straightforward: scanner metadata lists “Type: Upgrade version” and “Fix Resolution: 12.0.32.” System operators should prioritize upgrades to Jetty 12.0.32 where Jetty is used at runtime. Projects that surface jetty-server only as a test or build dependency should validate whether the artifact is executed in production paths; maintainers of repositories flagged by scanners have been identified and should be contacted to confirm exposure.

For accountability and operational clarity, reporters and administrators should obtain Jetty’s official advisory and the commit or pull request that implemented the fix, confirm authoritative CVSS scoring on NVD, and seek confirmation about any 12.1.x patch. Public services and commercial operators running Jetty should treat this as a high‑priority patching event and verify their dependency trees immediately.