CVE-2026-2332

Summary

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:

Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.

POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked

1;ext="val X 0

GET /smuggled HTTP/1.1 …

Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

Affected Software

VendorProductVersion RangeStatus
Eclipse FoundationEclipse Jetty12.1.0 <= 12.1.6affected
Eclipse FoundationEclipse Jetty12.0.0 <= 12.0.32affected
Eclipse FoundationEclipse Jetty11.0.0 <= 11.0.27affected
Eclipse FoundationEclipse Jetty10.0.0 <= 10.0.27affected
Eclipse FoundationEclipse Jetty9.4.0 <= 9.4.59affected

Weaknesses

  • CWE-444: CWE-444 Inconsistent interpretation of HTTP requests ('HTTP Request/Response smuggling')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing

Additional References

References