CVE-2026-2332
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
CVE-2026-2332 affects Jetty due to improper parsing of quoted strings in HTTP/1.1 chunked transfer encoding. This flaw allows attackers to perform request smuggling attacks. When Jetty encounters a \r\n\ inside a quoted string, it incorrectly stops parsing the chunk header instead of treating it as an error. This behavior leads to the potential for multiple HTTP responses being processed from a single request. The vulnerability can result in various security issues, including cache poisoning and access control bypass. Attackers can inject arbitrary HTTP requests, which may compromise user sessions. To exploit this, a crafted payload can be sent to the server, causing it to misinterpret the requests. The recommended fix is to ensure that chunk framing and extensions are parsed according to RFC 9112, treating any CRLF within quoted strings as an error. Currently, there are no patches or workarounds available for this vulnerability. Developers should prioritize addressing this issue to secure their applications.
Overview
Eclipse Jetty is a widely used Java-based web server and servlet container that supports HTTP/1.1 and provides a robust platform for developing web applications. It is known for its scalability and performance, making it a popular choice for both small and large-scale deployments.
A vulnerability has been identified in Eclipse Jetty related to request smuggling when using chunk extensions, specifically in the HTTP/1.1 parser. This issue arises because Jetty improperly terminates chunk extension parsing at carriage return and line feed sequences within quoted strings, allowing attackers to inject smuggled requests.
This vulnerability can be exploited by crafting specific HTTP requests that take advantage of the parser's behavior, potentially leading to unauthorized access or manipulation of web traffic. It is crucial for users of Eclipse Jetty to be aware of this issue and apply necessary mitigations.
According to the Common Weakness Enumeration (CWE), this vulnerability falls under CWE-444: Incomplete Control of Generation of Code ('Code Injection'). This classification indicates that the product does not adequately handle input that could alter the intended behavior of the request processing, leading to security risks.
Details
Module Info
- Product: Jetty
- Affected versions: >= 12.1.0, <= 12.1.6, >= 12.0.0, <= 12.0.32, >= 11.0.0, <= 11.0.27, >= 10.0.0, <= 10.0.27, >= 9.4.0, <= 9.4.59
- GitHub repository
- Published packages
- Package manager: Maven
- Fixed In: NES for Jetty 11.0.28;10.0.28;9.4.60
Vulnerability Info
CVE-2026-2332 affects Jetty due to improper parsing of quoted strings in HTTP/1.1 chunked transfer encoding. This flaw allows attackers to perform request smuggling attacks. When Jetty encounters a \r\n inside a quoted string, it incorrectly stops parsing the chunk header instead of treating it as an error. This behavior leads to the potential for multiple HTTP responses being processed from a single request. The vulnerability can result in various security issues, including cache poisoning and access control bypass. Attackers can inject arbitrary HTTP requests, which may compromise user sessions. To exploit this, a crafted payload can be sent to the server, causing it to misinterpret the requests. The recommended fix is to ensure that chunk framing and extensions are parsed according to RFC 9112, treating any CRLF within quoted strings as an error. Currently, there are no patches or workarounds available for this vulnerability. Developers should prioritize addressing this issue to secure their applications.
Mitigation
Only recent versions of Eclipse Jetty are community-supported. Only community-supported versions will receive updates to address this issue. For more information, see GitHub link here.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to a supported version of Eclipse Jetty (12.0.33 or 12.1.7)
- Leverage a commercial support partner like HeroDevs for post-EOL security support
Steps To Reproduce
Set Up Affected Environment: Deploy an affected version of Eclipse Jetty on a server configured behind a front-end reverse proxy or load balancer. Ensure the proxy forwards HTTP/1.1 requests to the Jetty backend.
Prepare the Crafted Payload: Construct a malicious HTTP request that utilizes the Transfer-Encoding: chunked header. Within the request body, create a chunk extension that includes an unclosed double quote immediately preceding a carriage return and line feed (CRLF). For example: 1;ext="val\r\n.
Embed the Smuggled Request: Directly below the malformed chunk extension, append a secondary, smuggled HTTP request payload (e.g., GET /smuggled HTTP/1.1) designed to access a restricted endpoint or trigger an unauthorized action.
Send the Crafted Request: Transmit the constructed payload through the reverse proxy to the Jetty server. The proxy should forward the payload as a single message, while the vulnerable Jetty parser terminates chunk extension parsing early at the CRLF instead of throwing an error, treating the rest of the body as a separate request.
Verify Request Smuggling: Monitor the server’s response and access logs. If the Jetty server processes the smuggled request and returns a response for the unauthorized /smuggled endpoint, it confirms the parser was tricked and security controls were bypassed.
Post-Remediation Verification: After applying a patch or migrating to a fixed version of Eclipse Jetty, repeat steps 2 through 4. Confirm that the Jetty HTTP/1.1 parser correctly flags the unclosed quote before the CRLF as an error (typically returning an HTTP 400 Bad Request) and refuses to process the smuggled payload.
