CVE-2026-2332

HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Assigner: eclipse
Reserved: 11.02.2026 Published: 14.04.2026 Updated: 14.04.2026

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html

https://w4ke.info/2025/10/29/funky-chunks-2.html

Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.

POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked

1;ext="val X 0

GET /smuggled HTTP/1.1 ...

Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 7.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Eclipse Foundation
Product	Eclipse Jetty
Versions	Default: unaffected affected from 12.1.0 to 12.1.6 (incl.) affected from 12.0.0 to 12.0.32 (incl.) affected from 11.0.0 to 11.0.27 (incl.) affected from 10.0.0 to 10.0.27 (incl.) affected from 9.4.0 to 9.4.59 (incl.)

Vendor

Eclipse Foundation

Product

Eclipse Jetty

Versions

Default: unaffected

affected from 12.1.0 to 12.1.6 (incl.)
affected from 12.0.0 to 12.0.32 (incl.)
affected from 11.0.0 to 11.0.27 (incl.)
affected from 10.0.0 to 10.0.27 (incl.)
affected from 9.4.0 to 9.4.59 (incl.)

Credits

https://github.com/xclow3n reporter

References

Problem Types