Skip to content

[Aikido] Fix 6 security issues in jetty-server, jetty-http, kotlin-stdlib#315

Open
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/AIK-16483-update-packages-59578950-4uv7
Open

[Aikido] Fix 6 security issues in jetty-server, jetty-http, kotlin-stdlib#315
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/AIK-16483-update-packages-59578950-4uv7

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jul 2, 2026

Copy link
Copy Markdown

Upgrade Jetty and Kotlin to fix HTTP request smuggling via chunk extensions, URI parsing bypass vulnerabilities, ThreadLimitHandler DoS, and unsafe deserialization RCE.

⚠️ Incomplete breaking changes analysis (1/3 analyzed)

⚠️ Breaking changes analysis not available for: org.eclipse.jetty:jetty-server, org.eclipse.jetty:jetty-http

✅ After thoroughly analyzing the codebase for patterns related to all breaking changes in the Kotlin stdlib upgrade from 1.9.25 to 2.4.20, no breaking changes affect this codebase.

The codebase contains:

  • Simple data classes with immutable properties (no open properties with backing fields requiring deferred initialization)

  • Standard override methods that don't involve raw types or generic type conflicts

  • No Kotlin Multiplatform code (no expect/actual declarations)

  • No @OptIn annotations or experimental API usage

  • No typealias declarations

  • No suspend anonymous functions in statement positions

  • Lambda expressions used in standard library functions (.use, .also, .apply) which are not affected by the breaking changes

All Kotlin code follows standard patterns that are compatible with Kotlin 2.4.20.

All breaking changes by upgrading org.jetbrains.kotlin:kotlin-stdlib from version 1.9.25 to 2.4.20 (CHANGELOG)

Version Description
2.0.0
Open properties with backing fields must be immediately initialized; deferred initialization in init blocks is no longer allowed
2.0.0
Synthetic setters on projected receivers now trigger errors when assigning types that conflict with the class's projected type
2.0.0
Function literals (lambdas and anonymous functions) with inaccessible generic types now trigger compilation errors
2.0.0
Generic types with inaccessible generic type arguments now trigger compilation errors
2.0.0
Resolution order changed: Kotlin properties now consistently supersede Java fields with the same name, with subclass members taking precedence
2.0.0
Java primitive arrays with TYPE_USE nullability annotations now enforce null safety, triggering errors when values are not used according to annotations
2.0.0
Common code in Kotlin Multiplatform can no longer access platform-specific code due to strict separation of common and platform source sets during compilation
2.0.0
Expected classes without default constructors can no longer be instantiated in common code
2.0.0
Abstract members inherited in expected non-abstract classes must be explicitly overridden as non-abstract
2.0.0
Expected and actual declarations can have different visibility levels only if the actual declaration is more permissive than the expected declaration
2.0.0
Upper bound violations in typealias constructors are now deprecated
2.0.0
Overriding Java methods with raw-typed parameters using generic typed parameters is now forbidden
2.0.0
SAM constructor usages requiring OptIn without annotation are now deprecated
2.0.0
Constructor calls with default arguments under OptIn markers are now forbidden
2.0.0
Suspend-marked anonymous function declarations in statement positions are now prohibited
2.0.0
From Kotlin 2.4.0 onward, rolling back to the previous compiler is no longer possible
✅ 6 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-2332
HIGH
[jetty-server] The HTTP/1.1 parser incorrectly handles chunk extensions with unclosed quoted strings, terminating parsing at \r\n instead of treating it as an error, enabling HTTP request smuggling attacks. This allows attackers to inject malicious requests that bypass security controls.
CVE-2025-11143
MEDIUM
[jetty-server] URI parser interprets invalid or unusual URIs differently than other common parsers, potentially allowing security bypasses when multiple components parse URIs inconsistently or disclosing implementation details through differential parsing behavior.
CVE-2024-8184
MEDIUM
[jetty-server] ThreadLimitHandler.getRemote() contains a vulnerability allowing attackers to trigger OutOfMemory errors through crafted requests, causing denial-of-service by exhausting server memory.
CVE-2024-6763
MEDIUM
[jetty-server] Insufficient validation of URI authority segments in HttpURI can cause host extraction discrepancies between Jetty and browsers, enabling open redirect or SSRF attacks when combined with vulnerable browsers.
AIKIDO-2026-188556
MEDIUM
[kotlin-stdlib] In JetBrains Kotlin before 2.4.20 code execution is possible via unsafe deserialization in the build cache metadata.
AIKIDO-2026-550292
MEDIUM
[kotlin-stdlib] In JetBrains Kotlin, a vulnerable Java API is used for temporary file and folder creation. An attacker is able to read data from such files and list directories due to insecure permissions.
🔗 Related Tasks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants