CVE-2026-2332
Received Received - Intake
HTTP Request Smuggling in Eclipse Jetty HTTP/1.1 Parser

Publication date: 2026-04-14

Last updated on: 2026-05-01

Assigner: Eclipse Foundation

Description
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing atΒ \r\nΒ inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2332
EUVD
EUVD-2026-22243
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
eclipse jetty From 10.0.0 (inc) to 10.0.28 (exc)
eclipse jetty From 11.0.0 (inc) to 11.0.28 (exc)
eclipse jetty From 12.0.0 (inc) to 12.0.33 (exc)
eclipse jetty From 12.1.0 (inc) to 12.1.7 (exc)
eclipse jetty From 9.4.0 (inc) to 9.4.60 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2332 is a high-severity HTTP request smuggling vulnerability in the Eclipse Jetty HTTP server. It arises from Jetty's incorrect parsing of HTTP/1.1 chunked transfer encoding chunk extensions, specifically when quoted strings are used. Jetty prematurely ends parsing of chunk extensions upon encountering a carriage return and line feed (\r\n) inside a quoted string, instead of treating this as a parsing error as required by HTTP standards (RFC 9112 and RFC 9110).

This flaw allows an attacker to inject CRLF sequences inside quoted-string chunk extensions, causing Jetty to misinterpret chunk boundaries and treat part of the extension as the start of a new HTTP request. As a result, an attacker can smuggle additional HTTP requests within a legitimate request, leading to multiple security issues.

The vulnerability is similar to the "funky chunks" HTTP request smuggling techniques, where malformed chunk extensions with unclosed quotes enable injection of smuggled requests.

Impact Analysis

This vulnerability can have several severe impacts due to HTTP request smuggling. An attacker can inject unauthorized HTTP requests that are interpreted differently by Jetty and downstream servers or intermediaries.

  • Cache poisoning
  • Access control bypass
  • Session hijacking
  • Unauthorized data access or modification

The attack requires no privileges or user interaction but has high attack complexity. It can compromise confidentiality and integrity of data processed by the Jetty server.

Detection Guidance

This vulnerability can be detected by monitoring for specially crafted HTTP/1.1 chunked requests that contain chunk extensions with unclosed quoted strings including CRLF sequences. Such requests may look like chunked requests with malformed chunk extensions that inject additional HTTP requests (request smuggling).

A detection approach involves capturing HTTP traffic and inspecting chunked transfer encoding headers for chunk extensions that contain unclosed quoted strings or embedded CRLF sequences.

Example commands to detect suspicious requests might include using network packet capture tools like tcpdump or Wireshark to filter HTTP traffic with chunked transfer encoding, then analyzing the chunk extensions for anomalies.

  • Use tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Use Wireshark to filter HTTP requests with Transfer-Encoding: chunked and inspect chunk extensions for unclosed quotes or embedded CRLF sequences.
  • Use custom scripts or tools to parse HTTP requests and flag chunk extensions containing CRLF inside quoted strings, which violate RFC 9112 and RFC 9110.
Mitigation Strategies

Currently, no patches or workarounds are available for this vulnerability.

The recommended mitigation is to upgrade to patched versions of Eclipse Jetty once they are released. Expected patched versions include 9.4.60, 10.0.28, 11.0.28, 12.0.33, and 12.1.7.

Until patches are available, consider implementing network-level protections such as Web Application Firewalls (WAFs) or reverse proxies that can detect and block malformed chunked requests with suspicious chunk extensions.

Additionally, monitor logs and network traffic for signs of HTTP request smuggling attempts and restrict access to the Jetty server to trusted clients where possible.

Compliance Impact

The vulnerability in Eclipse Jetty's HTTP/1.1 parser allows HTTP request smuggling, which can lead to unauthorized data access or modification, session hijacking, and access control bypass. These impacts can compromise the confidentiality and integrity of data handled by the affected server.

Such security breaches may result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and integrity violations.

Because the vulnerability enables attackers to inject unauthorized requests and potentially access or alter protected data, organizations using affected Jetty versions could face compliance risks if this flaw is exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2332. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart