CVE-2026-24880
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Apache Tomcat is an open-source implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations, and Jakarta Authentication specifications, providing a pure Java HTTP web server environment for running Java code. It is one of the most widely used Java application servers.
A low-severity vulnerability (CVE-2026-24880) has been identified in Apache Tomcat where the contents of HTTP/1.1 chunk extensions in chunked transfer encoding are not validated. This enables HTTP request smuggling when a reverse proxy in front of Tomcat allows CRLF sequences in an otherwise valid chunk extension.
Per OWASP: HTTP Request Smuggling is a technique that exploits discrepancies in the parsing of HTTP requests between front-end servers (such as reverse proxies or load balancers) and back-end servers. By manipulating how each server interprets the boundaries of HTTP requests, an attacker can smuggle a request to the back-end server that the front-end server does not see.
This issue affects versions 7.0.0 through 7.0.109, 8.5.0 through 8.5.100, 9.0.0.M1 through 9.0.115, 10.1.0-M1 through 10.1.52, and 11.0.0-M1 through 11.0.18 of Apache Tomcat.
Details
Module Info
- Product: Apache Tomcat
- Affected packages: tomcat-coyote
- Affected versions: >=7.0.0 <=7.0.109, >=8.5.0 <=8.5.100, >=9.0.0.M1 <=9.0.115, >=10.1.0-M1 <=10.1.52, >=11.0.0-M1 <=11.0.18
- GitHub repository: https://github.com/apache/tomcat
- Published packages: https://repo1.maven.org/maven2/org/apache/tomcat/tomcat-coyote/
- Package manager: Maven
- Fixed in:
- NES for Apache Tomcat
- Apache Tomcat 11.0.20, 10.1.52, 9.0.116 (OSS)
Vulnerability Info
The vulnerability exists in ChunkedInputFilter.java, which handles HTTP chunked transfer encoding. When parsing chunk extensions (the optional data after the chunk size and before the CRLF), Tomcat simply accepted all bytes without any validation.
This means if a reverse proxy in front of Tomcat allows CRLF sequences within a chunk extension (which some proxies consider valid in certain contexts), an attacker can inject additional HTTP content that Tomcat interprets as part of the next request, enabling request smuggling.
The fix introduces a new ChunkExtension.java class that implements a state machine parser validating that chunk extension bytes conform to RFC syntax. The parser tracks states including PRE_NAME, NAME, POST_NAME, EQUALS, VALUE, QUOTED_VALUE, POST_VALUE, and CR, rejecting any bytes that do not conform to the expected grammar.
A follow-up commit addressed edge cases found during review: support for name-only extensions (e.g., abc;abc), proper handling of non-blocking reads after CR before LF, and consistent exception handling.
Steps To Reproduce
To trigger this vulnerability, a reverse proxy must be configured in front of Tomcat that allows CRLF sequences within chunk extensions. The attacker sends a chunked request with a crafted chunk extension containing CRLF characters:
POST /target HTTP/1.1
Host: vulnerable-app.example.com
Transfer-Encoding: chunked
5;ext=val\r\nSMUGGLED\r\n
hello
0
When the reverse proxy treats the CRLF inside the chunk extension as part of the extension value but Tomcat interprets it as the end of the chunk, the SMUGGLED data is processed as part of the next request, allowing request smuggling.
Mitigation
Only recent versions of Apache Tomcat are community-supported. Older versions (8.5.x and earlier) will not receive any updates to address this issue. NES for Tomcat includes an update to 8.5.x to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a patched version of Apache Tomcat.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Xclow3n (finder)
