CVE-2026-2332
HTTP Request Smuggling in Eclipse Jetty HTTP/1.1 Parser
Publication date: 2026-04-14
Last updated on: 2026-05-01
Assigner: Eclipse Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eclipse | jetty | From 10.0.0 (inc) to 10.0.28 (exc) |
| eclipse | jetty | From 11.0.0 (inc) to 11.0.28 (exc) |
| eclipse | jetty | From 12.0.0 (inc) to 12.0.33 (exc) |
| eclipse | jetty | From 12.1.0 (inc) to 12.1.7 (exc) |
| eclipse | jetty | From 9.4.0 (inc) to 9.4.60 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2332 is a high-severity HTTP request smuggling vulnerability in the Eclipse Jetty HTTP server. It arises from Jetty's incorrect parsing of HTTP/1.1 chunked transfer encoding chunk extensions, specifically when quoted strings are used. Jetty prematurely ends parsing of chunk extensions upon encountering a carriage return and line feed (\r\n) inside a quoted string, instead of treating this as a parsing error as required by HTTP standards (RFC 9112 and RFC 9110).
This flaw allows an attacker to inject CRLF sequences inside quoted-string chunk extensions, causing Jetty to misinterpret chunk boundaries and treat part of the extension as the start of a new HTTP request. As a result, an attacker can smuggle additional HTTP requests within a legitimate request, leading to multiple security issues.
The vulnerability is similar to the "funky chunks" HTTP request smuggling techniques, where malformed chunk extensions with unclosed quotes enable injection of smuggled requests.
How can this vulnerability impact me? :
This vulnerability can have several severe impacts due to HTTP request smuggling. An attacker can inject unauthorized HTTP requests that are interpreted differently by Jetty and downstream servers or intermediaries.
- Cache poisoning
- Access control bypass
- Session hijacking
- Unauthorized data access or modification
The attack requires no privileges or user interaction but has high attack complexity. It can compromise confidentiality and integrity of data processed by the Jetty server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for specially crafted HTTP/1.1 chunked requests that contain chunk extensions with unclosed quoted strings including CRLF sequences. Such requests may look like chunked requests with malformed chunk extensions that inject additional HTTP requests (request smuggling).
A detection approach involves capturing HTTP traffic and inspecting chunked transfer encoding headers for chunk extensions that contain unclosed quoted strings or embedded CRLF sequences.
Example commands to detect suspicious requests might include using network packet capture tools like tcpdump or Wireshark to filter HTTP traffic with chunked transfer encoding, then analyzing the chunk extensions for anomalies.
- Use tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
- Use Wireshark to filter HTTP requests with Transfer-Encoding: chunked and inspect chunk extensions for unclosed quotes or embedded CRLF sequences.
- Use custom scripts or tools to parse HTTP requests and flag chunk extensions containing CRLF inside quoted strings, which violate RFC 9112 and RFC 9110.
What immediate steps should I take to mitigate this vulnerability?
Currently, no patches or workarounds are available for this vulnerability.
The recommended mitigation is to upgrade to patched versions of Eclipse Jetty once they are released. Expected patched versions include 9.4.60, 10.0.28, 11.0.28, 12.0.33, and 12.1.7.
Until patches are available, consider implementing network-level protections such as Web Application Firewalls (WAFs) or reverse proxies that can detect and block malformed chunked requests with suspicious chunk extensions.
Additionally, monitor logs and network traffic for signs of HTTP request smuggling attempts and restrict access to the Jetty server to trusted clients where possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Eclipse Jetty's HTTP/1.1 parser allows HTTP request smuggling, which can lead to unauthorized data access or modification, session hijacking, and access control bypass. These impacts can compromise the confidentiality and integrity of data handled by the affected server.
Such security breaches may result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and integrity violations.
Because the vulnerability enables attackers to inject unauthorized requests and potentially access or alter protected data, organizations using affected Jetty versions could face compliance risks if this flaw is exploited.