Miggo Logo
Miggo Vulnerability Database
CVE-2024-13009

CVE-2024-13009: **UNSUPPORTED WHEN ASSIGNED** GzipHandler causes part of request body to be seen as request body of a separate request

7.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-13009
GHSA ID
GHSA-q4rv-gq96-w7c5
EPSS Score
0.1091%
CWE
CWE-404
Published
5/8/2025
Updated
5/8/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.eclipse.jetty:jetty-servermaven>= 9.4.0, <= 9.4.569.4.57.v20241219

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (GHSA-q4rv-gq96-w7c5 / CVE-2024-13009) states that in Eclipse Jetty, GzipHandler can cause incorrect buffer release during GZIP inflation errors, leading to data corruption or sharing between requests. The provided commit e3fa9466633db6bf36e0eb0d17e3de166c788ede directly addresses this by modifying buffer management logic within org.eclipse.jetty.server.HttpInput.java.

The GzipHandler uses an interceptor (GzipInterceptor) which, in turn, interacts with HttpInput to read and decompress the request body. When a GZIP inflation error occurs within this interceptor, the error state propagates to HttpInput.

The patch modifies two key methods in HttpInput.java:

  1. fail(Content, Throwable): The patch ensures that if the content being marked as failed is the current active buffer (_content), then _content is set to null. Previously, this nullification was missing, allowing a reference to the (potentially partially filled or corrupted) buffer from the failed GZIP operation to persist.
  2. addContent(Content): Similarly, when adding content in an error or EOF state (which could follow a GZIP error), the patch ensures that if the content being added is the current _content, it is nullified. This prevents the problematic buffer from being carried forward.

These HttpInput methods are identified as vulnerable because their pre-patch logic for managing the _content buffer was flawed under error conditions originating from interceptors like the one used by GzipHandler. This mismanagement of the buffer is the root cause of the described vulnerability, where parts of one request's body (after a GZIP error) could be mistakenly seen as part of a subsequent request due to the buffer not being properly cleared and reset.

While GzipHandler.handle(...) would be a primary function in the stack trace during exploitation as it orchestrates the GZIP processing, the actual code flaw (incorrect buffer handling) fixed by this specific patch resides in the identified HttpInput methods. These methods are crucial for processing the request input stream, and their incorrect behavior when handling GZIP errors led to the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In **lips* J*tty v*rsions *.*.* to *.*.** * *u***r **n ** in*orr**tly r*l**s** w**n *on*ront** wit* * *zip *rror w**n in*l*tin* * r*qu*st *o*y. T*is **n r*sult in *orrupt** *n*/or in**v*rt*nt s**rin* o* **t* **tw**n r*qu*sts.

Reasoning

T** vuln*r**ility (**S*-q*rv-*q**-w*** / *V*-****-*****) st*t*s t**t in **lips* J*tty, *zip**n*l*r **n **us* in*orr**t *u***r r*l**s* *urin* *ZIP in*l*tion *rrors, l***in* to **t* *orruption or s**rin* **tw**n r*qu*sts. T** provi*** *ommit `*********