HTTP Request Smuggling via Chunked Extension Quoted-String Parsing_CVE-2026-2332

7.4 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:
* https://w4ke.info/2025/06/18/funky-chunks.html

* https://w4ke.info/2025/10/29/funky-chunks-2.html

Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.

POST / HTTP/1.1
Host: localhost
Transfer-Encoding: chunked

1;ext="val
X
0

GET /smuggled HTTP/1.1
...

Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

Basic Information

ID CVE-2026-2332

Source eclipse

Published Apr 14, 2026 at 10:59

Affected Product

Vendor Eclipse Foundation

Product Eclipse Jetty

Version 12.1.0

Affected Versions Eclipse Foundation Eclipse Jetty 12.1.0
Eclipse Foundation Eclipse Jetty 12.0.0
Eclipse Foundation Eclipse Jetty 11.0.0
Eclipse Foundation Eclipse Jetty 10.0.0
Eclipse Foundation Eclipse Jetty 9.4.0

CWE Classification

CWE-444

References

{
    "lastseen": "",
    "description": "In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the \"funky chunks\" techniques outlined here:\n  *  https://w4ke.info/2025/06/18/funky-chunks.html\n\n  *  https://w4ke.info/2025/10/29/funky-chunks-2.html\n\n\nJetty terminates chunk extension parsing at\u00a0\\r\\n\u00a0inside quoted strings instead of treating this as an error.\n\n\nPOST / HTTP/1.1\nHost: localhost\nTransfer-Encoding: chunked\n\n1;ext=\"val\nX\n0\n\nGET /smuggled HTTP/1.1\n...\n\n\n\n\n\nNote how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.",
    "published": "2026-04-14T10:59:10.193Z",
    "modified": "2026-04-14T10:59:10.193Z",
    "type": "cve",
    "title": "HTTP Request Smuggling via Chunked Extension Quoted-String Parsing",
    "source": "eclipse",
    "references": "https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf\nhttps://gitlab.eclipse.org/security/cve-assignment/-/issues/89",
    "id": "CVE-2026-2332",
    "bulletinFamily": "",
    "cwe": [
        "CWE-444"
    ],
    "cvelist": null,
    "sourceData": "Eclipse Foundation Eclipse Jetty 12.1.0\nEclipse Foundation Eclipse Jetty 12.0.0\nEclipse Foundation Eclipse Jetty 11.0.0\nEclipse Foundation Eclipse Jetty 10.0.0\nEclipse Foundation Eclipse Jetty 9.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.4,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Eclipse Jetty",
    "version": "12.1.0",
    "vendor": "Eclipse Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}