CVE-2026-2332
Modified
Modified - Updated After Analysis
HTTP Request Smuggling in Eclipse Jetty HTTP/1.1 Parser
Vulnerability report for CVE-2026-2332, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-04-14
Last updated on: 2026-07-02
Assigner: Eclipse Foundation
Description
Description
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:
* https://w4ke.info/2025/06/18/funky-chunks.html
* https://w4ke.info/2025/10/29/funky-chunks-2.html
Jetty terminates chunk extension parsing atΒ \r\nΒ inside quoted strings instead of treating this as an error.
POST / HTTP/1.1
Host: localhost
Transfer-Encoding: chunked
1;ext="val
X
0
GET /smuggled HTTP/1.1
...
Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eclipse | jetty | From 10.0.0 (inc) to 10.0.28 (exc) |
| eclipse | jetty | From 11.0.0 (inc) to 11.0.28 (exc) |
| eclipse | jetty | From 12.0.0 (inc) to 12.0.33 (exc) |
| eclipse | jetty | From 12.1.0 (inc) to 12.1.7 (exc) |
| eclipse | jetty | From 9.4.0 (inc) to 9.4.60 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |