Platform
java
Component
org.eclipse.jetty:jetty-http
Fixed in
12.1.7
12.0.33
11.0.28
10.0.28
9.4.60
12.1.7
This vulnerability affects Eclipse Jetty, a Java web server and servlet container. It arises from an issue in the HTTP/1.1 parser's handling of chunk extensions, allowing attackers to smuggle requests. Versions 9.4.0 through 12.1.6 are impacted, and a patch is available to address this security concern.
CVE-2026-2332 in Eclipse Jetty enables HTTP request smuggling attacks through incorrect parsing of quoted strings in HTTP/1.1 chunked transfer encoding extension values. This flaw occurs because Jetty doesn't properly validate the syntax of chunked encoding extensions when they are enclosed in quotes. An attacker could exploit this by sending malicious HTTP requests that are interpreted differently by the proxy server and the backend server, potentially leading to unauthorized access to resources or the execution of malicious code. The CVSS severity is 7.4, indicating a high risk. Applying the update to version 12.1.7 is crucial to mitigate this risk.
This vulnerability leverages 'Funky Chunks' techniques for HTTP request smuggling. The attacker manipulates chunked transfer encoding headers to trick the proxy server and backend server into interpreting requests differently. The use of quotes in the transfer encoding values introduces a specific vulnerability that Jetty doesn’t handle correctly. Successful exploitation requires the attacker to have control over the initial HTTP request and be able to manipulate it to include malicious chunked transfer encoding headers. The complexity of exploitation depends on the proxy and backend server configuration.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary solution to mitigate CVE-2026-2332 is to update Eclipse Jetty to version 12.1.7 or higher. This version includes a fix that addresses the quoted string parsing issue. Additionally, review server configuration to ensure robust security policies are implemented, such as input validation and limiting HTTP request length. Monitoring server logs for suspicious patterns related to chunked transfer encoding can also help detect and prevent attacks. Consider using Web Application Firewalls (WAFs) to filter malicious traffic.
Actualice Eclipse Jetty a la versión 12.1.7 o superior, 12.0.33 o superior, 11.0.28 o superior, 10.0.28 o superior, o 9.4.60 o superior para mitigar la vulnerabilidad de smuggling de solicitudes HTTP. Esta vulnerabilidad permite a un atacante inyectar solicitudes maliciosas aprovechando el manejo incorrecto de las extensiones de bloque en el analizador HTTP/1.1.
Vulnerability analysis and critical alerts directly to your inbox.
It's an attack technique that exploits differences in how proxy servers and backend servers process HTTP requests, allowing an attacker to insert malicious requests between legitimate ones.
Version 12.1.7 contains a specific fix for CVE-2026-2332, addressing the quoted string parsing vulnerability.
Besides updating, consider input validation, limiting HTTP request length, and using a WAF.
Monitor server logs for suspicious patterns related to chunked transfer encoding and request smuggling.
Penetration testing tools can help identify HTTP request smuggling vulnerabilities, including variants based on 'Funky Chunks'.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.