CVE-2026-2332
published 2026-04-14CVE-2026-2332: In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined…
PriorityP354critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.13%
62.3th percentile
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eclipse | jetty | >= 10.0.0 < 10.0.28 | 10.0.28 |
| eclipse | jetty | >= 11.0.0 < 11.0.28 | 11.0.28 |
| eclipse | jetty | >= 12.0.0 < 12.0.33 | 12.0.33 |
| eclipse | jetty | >= 12.1.0 < 12.1.7 | 12.1.7 |
| eclipse | jetty | >= 9.4.0 < 9.4.60 | 9.4.60 |
| eclipse_foundation | eclipse_jetty | 10.0.0 – 10.0.27 | — |
| eclipse_foundation | eclipse_jetty | 11.0.0 – 11.0.27 | — |
| eclipse_foundation | eclipse_jetty | 12.0.0 – 12.0.32 | — |
| eclipse_foundation | eclipse_jetty | 12.1.0 – 12.1.6 | — |
| eclipse_foundation | eclipse_jetty | 9.4.0 – 9.4.59 | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
ghsa·2026-04-14
CVE-2026-2332 [HIGH] CWE-444 Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
### Description (as reported)
Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks.
### Background
This vulnerability is a new variant discovered while researching the "Funky Chunks" HTTP request smuggling techniques:
- https://w4ke.info/2025/06/18/funky-chunks.html
- https://w4ke.info/2025/10/29/funky-chunks-2.html
The original research tested various chunk extension parsing differentials but did not test quoted-string handling within extension values.
### Technical Details
**RFC 9112 Section 7.1.1** defines chunked transfer encoding:
```
chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF
chunk-ext = *( BWS ";" BWS chunk-ext-n
Red Hat
org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing
vendor_redhat·2026-04-14·CVSS 7.4
CVE-2026-2332 [HIGH] CWE-444 org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing
org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing
A flaw was found in Eclipse Jetty. The HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used. An attacker can inject crafted requests to manipulate and trick the parser. This issue can lead to security controls bypass, cache poisoning or unauthorized endpoint access.
Statement: To exploit this issue, an attacker needs to send a crafted payload to a Jetty server that is behind a reverse proxy or load balancer, specifically with a chunk extension that includes an unclosed double quote before the CRLF to trick the parser. This flaw allows an attacker to bypass security controls, cause cache poisoning or gain unauthorized endpoint access. Due to these reasons, this vul
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-2332 jetty: HTTP request smuggling via chunked extension quoted-string parsing [fedora-all]
bugzilla·2026-04-15·CVSS 7.4
CVE-2026-2332 [HIGH] CVE-2026-2332 jetty: HTTP request smuggling via chunked extension quoted-string parsing [fedora-all]
CVE-2026-2332 jetty: HTTP request smuggling via chunked extension quoted-string parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-2332 org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing
bugzilla·2026-04-14·CVSS 7.4
CVE-2026-2332 [HIGH] CVE-2026-2332 org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing
CVE-2026-2332 org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:
* https://w4ke.info/2025/06/18/funky-chunks.html
* https://w4ke.info/2025/10/29/funky-chunks-2.html
Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.
POST / HTTP/1.1
Host: localhost
Transfer-Encoding: chunked
1;ext="val
X
0
GET /smuggled HTTP/1.1
...
Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
Hackernews
⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
blogs_hackernews·2026-06-01·CVSS 7.8
CVE-2026-0257 [HIGH] ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
Monday hit like a cron job with anger issues.
A busted auth path here, a repo-side faceplant there, some "patched-ish" thing already getting chewed on in the wild, and then the usual bonus round: poisoned dev tools, sketchy forum chatter, phishing kits pretending to be productivity, and AI lowering the bar for people who already thought 'curl | sh' had a personality.
The vibe is simple: old bugs, new wrappers, faster abuse. Patch the obvious crap first. Then read the rest.
## ⚡ Threat of the Week
PAN-OS GlobalProtect Authenticati
https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwfhttps://gitlab.eclipse.org/security/cve-assignment/-/issues/89https://access.redhat.com/errata/RHSA-2026:10175https://access.redhat.com/errata/RHSA-2026:14272https://access.redhat.com/errata/RHSA-2026:17668https://access.redhat.com/errata/RHSA-2026:20568https://access.redhat.com/errata/RHSA-2026:21773https://access.redhat.com/errata/RHSA-2026:22453https://access.redhat.com/errata/RHSA-2026:25089https://access.redhat.com/security/cve/CVE-2026-2332https://bugzilla.redhat.com/show_bug.cgi?id=2458187https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2332.json
2026-04-14
Published