CVE-2023-26048: OutOfMemoryError for large multipart without filename in Eclipse Jetty

Published Apr 18, 2023
·
Updated

Impact Servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and a very large content.

This happens even with the default settings of fileSizeThreshold=0 which should stream the whole part content to disk.

An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time.

A very large number of parts may cause the same problem.

Patches Patched in Jetty versions

9.4.51.v20230217 - via PR #9345 10.0.14 - via PR #9344 11.0.14 - via PR #9344

Workarounds Multipart parameter maxRequestSize must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter maxFileSize won't be enough because an attacker can send a large number of parts that summed up will cause memory issues.

References https://github.com/eclipse/jetty.project/issues/9076 https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload

Other sources

Eclipse Jetty is vulnerable to a denial of service, caused by an out of memory flaw in the HttpServletRequest.getParameter() or HttpServletRequest.getParts() function. By sending a specially crafted multipart request, a remote attacker could exploit this vulnerability to cause a denial of service condition.

IBM

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of fileSizeThreshold=0 which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter maxRequestSize which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).

Affected Software

16 affected componentsFixes available
maven/org.eclipse.jetty:jetty-server<9.4.51.v20230217
9.4.51.v20230217
maven/org.eclipse.jetty:jetty-server>=11.0.0<11.0.14
11.0.14
maven/org.eclipse.jetty:jetty-server>=10.0.0<10.0.14
10.0.14
debian/jetty9<=9.4.16-0+deb10u1
9.4.50-4+deb10u19.4.39-3+deb11u29.4.50-4+deb11u19.4.50-4+deb12u29.4.53-1
eclipse jetty<9.4.51
eclipse jetty>=10.0.0<10.0.14
eclipse jetty>=11.0.0<11.0.14
IBM Data Virtualization on Cloud Pak for Data<=3.0
IBM Watson Query on Cloud Pak for Data<=2.2
IBM Watson Query on Cloud Pak for Data<=2.1
IBM Watson Query on Cloud Pak for Data<=2.0
IBM Data Virtualization on Cloud Pak for Data<=1.8
IBM Data Virtualization on Cloud Pak for Data<=1.7
redhat/jetty-server<9.4.51
9.4.51
redhat/jetty-server<10.0.14
10.0.14
redhat/jetty-server<11.0.14
11.0.14

Remediation

Patch Available

https://github.com/eclipse/jetty.project/issues/9076

Patch Available

https://github.com/eclipse/jetty.project/pull/9344

Patch Available

https://github.com/eclipse/jetty.project/pull/9345

Event History

Apr 18, 2023
CVE Published
via MITRE·08:30 PM
Data Sourced
via MITRE·08:30 PM
DescriptionSeverityWeakness
Apr 19, 2023
Advisory Published
06:15 PM
Aug 31, 2023
Data Sourced
via Red Hat·12:42 AM
DescriptionSeverityAffected Software
Aug 15, 2025
Data Sourced
via IBM·03:29 PM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2023-26048?

CVE-2023-26048 is a vulnerability in Eclipse Jetty that allows for a denial of service attack caused by an out of memory flaw in the HttpServlet.

2

What is the impact of CVE-2023-26048?

The impact of CVE-2023-26048 is that servlets with multipart support may cause an OutOfMemoryError when a client sends a multipart request with a part that has a name but no filename and a very large content.

3

What is the severity of CVE-2023-26048?

The severity of CVE-2023-26048 is medium with a CVSS score of 5.3.

4

How do I fix CVE-2023-26048?

To fix CVE-2023-26048, you need to update your Eclipse Jetty to version 11.0.14, 10.0.14, or 9.4.51.

5

Where can I find more information about CVE-2023-26048?

You can find more information about CVE-2023-26048 on the GitHub advisory page and the NIST vulnerability database.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203
CVE-2023-26048 - OutOfMemoryError for large multipart without filename in Eclipse Jetty - SecAlerts