CVE-2025-11143

WSO2 Products impacted: no

Customer action required: no

REPORTED VULNERABILITY

The Jetty URI parser performs inconsistent parsing of malformed or unusual URIs compared to other parsers, allowing crafted requests to bypass security controls due to differential interpretation 1.

REPORTED PRODUCTS

  • WSO2 API Manager : 3.0.0, 3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0
  • WSO2 Identity Server : 5.11.0, 6.0.0, 6.1.0, 7.0.0, 7.1.0, 7.2.0

WSO2 JUSTIFICATION

This vulnerability has been addressed in Jetty HTTP version 12.0.31 and above in the 12.0.x series, and version 12.1.5 and above in the 12.1.x series. However, Jetty HTTP is an embedded dependency in Solr, and addressing this vulnerability requires migrating to non-vulnerable Solr 10.x versions. Migrating to non-vulnerable Solr 10.x versions introduces breaking changes in the context of WSO2 API Manager. Additionally, the listed WSO2 Identity Server versions and WSO2 API Manager versions below 4.7.0 support Java versions earlier than 21, while Solr 10.x requires Java 21 or higher, making the upgrade path incompatible. Due to these reasons, we are publishing this CVE justification with a detailed analysis of the CVE, outlining how associated risks are mitigated in WSO2 products and the actions WSO2 is taking in response.

The vulnerable jetty-http dependency is included transitively through the Apache Solr bundle, which supports content and artifact search capabilities in the product portals of the affected WSO2 product versions.

The reported vulnerability affects Jetty HTTP URI parsing 2 when processing inbound HTTP requests, particularly where parsed URI values are used for security-sensitive decisions. This execution path is not used by the Solr-based portal search features in these products.

In the default product configuration, Solr runs in embedded mode through in-process Solr APIs. This mode does not start a Jetty HTTP server or expose Jetty URI parsing to external requests. The relevant components only contribute metadata to the portal search flow and do not expose Jetty-based HTTP endpoints.

Therefore, although the vulnerable Jetty dependency is present in the packaged Solr component, the vulnerable code path is not reachable through the Solr searching functionality used by the above-mentioned WSO2 products.

Based on this evidence, we conclude that this vulnerability does not pose a security risk to the impacted versions of WSO2 products listed above.

REFERENCES

  1. https://nvd.nist.gov/vuln/detail/cve-2025-11143 

  2. https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh