CVE-2025-12383
November 18, 2025
In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)
Affected Packages
org.glassfish.jersey.core:jersey-client (JAVA):
Affected version(s) =2.45 <2.46Fix Suggestion:
Update to version 2.46org.glassfish.jersey.core:jersey-client (JAVA):
Affected version(s) =3.1.9 <3.1.10Fix Suggestion:
Update to version 3.1.10org.glassfish.jersey.core:jersey-client (JAVA):
Affected version(s) =3.0.16 <3.0.17Fix Suggestion:
Update to version 3.0.17https://github.com/eclipse-ee4j/jersey.git (SCM_GIT):
Affected version(s) =3.1.9 <3.1.10Fix Suggestion:
Update to version 3.1.10https://github.com/eclipse-ee4j/jersey.git (SCM_GIT):
Affected version(s) =2.45 <2.46Fix Suggestion:
Update to version 2.46https://github.com/eclipse-ee4j/jersey.git (SCM_GIT):
Affected version(s) =3.0.16 <3.0.17Fix Suggestion:
Update to version 3.0.17Related Resources (13)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.4
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
EPSS
Base Score:
0.06
