Security scanners may report Applications Manager's webserver to be using a version of Jetty that is vulnerable to CVE-2025-11143.

Jetty can interpret certain invalid or unusual URIs (using odd schemes, IPv6/host delimiter edge cases, or specific priority for #, ?, or @ delimiters) differently than common parsers like those found in reverse proxies, load balancers, WAFs, or API gateways.

Exploitation typically requires the following conditions:

1. Vulnerable Jetty version in the request path.
2. Multiple URI parsers (e.g., a proxy and Jetty) interpreting the same request.
3. Security-relevant divergence, where the mismatch allows an attacker to bypass an authorization blocklist or causes information disclosure.
4. Attacker-controlled request line providing malformed URIs.

Applications Manager 9.6.2

In version 9.6.2, Applications Manager uses Jetty 11.0.26 as part of the integrated webserver

Why AM is not exploitable:

1. Single stack — Routing and static serving are handled by Jetty’s normal pipeline; AM code does not add another URL parser that could disagree with Jetty on malformed URIs for allow/deny or routing.
2. No blacklist / policy engine on raw URLs — Nothing in code matches “block path X” using a different library than Jetty.
3. Error page — Uses Jetty/servlet error attributes; redirect targets are built from fixed config + known homePageUrl, not from re-parsing the client’s raw request line in a separate URI implementation.
   Hence, for the embedded static webserver as shipped with AM 9.6.2, AM code does not layer a second URI policy engine on top of Jetty, so the differential-parsing attack class does not apply in the way described.

While not vulnerable, in version 9.6.3, a fixed jetty version for Spring based webserver will be included (which will come into effect only when APIs are enabled).